Hi

I have reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Security Area Directors.  Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments.

The document is clear and straightforward. The Security Considerations states that this extension document does not change the security properties of DNS itself, and I agree.  It also makes the following statement:

   It should however be noted that this method does increase the
   potential amplification factor when the DNS protocol is used as a
   vector for a denial of service attack.

I'm not sure this is correct. Servers could (and often did) send large responses already when QTYPE=ANY was specified even if - as the draft acknowledges - RFC 8482 allows sending just one. So I don't think this document really makes the amplification problem worse.