Thanks for a well-written document.  I found the background information in Section 1.1 to be particularly interesting.  Just a couple of very small editorial points there:

   operating system vendor was providing non-root trust anchors to the
   recursive resolver, which became out-of-date following the rollover.

Nit: This use of “out of date” should not be hyphenated, as it’s not directly modifying anything (“out-of-date trust anchors” would be hyphenated, but “the trust anchors are out of date” would not be).

   In 2021, Verisign researchers used botnet query traffic to
   demonstrate that certain large, public recursive DNS services exhibit
   very high query rates when all authoritative name servers for a zone
   return REFUSED or SERVFAIL [botnet].  When configured normally, query
   rates for a single botnet domain averaged approximately 50 queries
   per second.  However, when configured to return SERVFAIL, the query
   rate increased to 60,000 per second.

In the two “when configured” phrases it’s not clear what was configured, normally and otherwise.  Taken as written, it’s “query rates”, but those are clearly not things that get configured.  In trying to figure out what you *are* referring to, I find that a reader could infer either “public recursive DNS services” or “authoritative name servers”.  Let’s not make readers work that hard:

NEW
   In 2021, Verisign researchers used botnet query traffic to
   demonstrate that certain large, public recursive DNS services exhibit
   very high query rates when all authoritative name servers for a zone
   return REFUSED or SERVFAIL [botnet].  When the authoritative servers
   were configured normally, query rates for a single botnet domain
   averaged approximately 50 queries per second.  However, with the
   servers configured to return SERVFAIL, the query rate increased to
   60,000 per second.
END

I have no other comments on the document, and I think it's ready to go.