Review update: I got the list of vendors wrong, below. Fixed in this revision.

Thank you for processing my previous comments. The document is in great shape.
I have one nit:

One of the new sections based on my earlier comments is "2.7.  FORMERR
Responses". It currently says

> Upon receipt of a FORMERR response, recursive clients generally retry their
queries without EDNS(0).

For most resolver implementations (Knot, PowerDNS, BIND, but not Unbound), this
is only true if the FORMERR response does not contain EDNS(0)/OPT. There are
auths out there that send FORMERR+OPT responses, and they are not getting
non-EDNS0 fallback behaviour from such resolvers.

> Thus, resolution failures from FORMERR responses are rare.

This, meanwhile, remains true. When they happen, they tend to be persistent,
and noticed, leading to fixes.

I don't have a strong suggestion for rewording. Perhaps replace "recursive
clients generally" with "some recursive clients might"? I can also live with
the current text, but I did want to point out this nuance.