This version adds more discussions about DNSSEC to priming exchange, which I think need clearer statements.

In this document, the authors say “With such resolvers, an attacker that controls a rogue root server effectively controls the entire domain name space and can view all queries and alter all unsigned data undetected.”   

However, this is not true when a DNSSEC-aware resolver has been configured with one or more Trust Anchors from some TLDs. In such case, it is not safe to say "an attacker that controls a rogue root server effectively controls the entire domain name space".