1 files changed, 5 insertions, 5 deletions

diff --git a/middleware/dnssec/README.md b/middleware/dnssec/README.md
index 34d5680c0..3b90be46d 100644
--- a/middleware/dnssec/README.md
+++ b/middleware/dnssec/README.md
@@ -8,18 +8,18 @@
 dnssec [zones...]
 ~~~
 
-* `zones` zones that should be signed. If empty the zones from the configuration block
+* `zones` zones that should be signed. If empty, the zones from the configuration block
     are used.
 
-If keys are not specified (see below) a key is generated and used for all signing operations. The
-DNSSEC signing will treat this key a CSK (common signing key) forgoing the ZSK/KSK split. All
+If keys are not specified (see below), a key is generated and used for all signing operations. The
+DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
 signing operations are done online. Authenticated denial of existence is implemented with NSEC black
 lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
 RSA).
 
 A signing key can be specified by using the `key` directive.
 
-WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS,
+WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS, as
 this key only lives in memory. See issue <https://github.com/miekg/coredns/issues/211>.
 
 TODO(miek): think about key rollovers.
@@ -31,7 +31,7 @@ dnssec [zones... ] {
 }
 ~~~
 
-* `key file` indicates key file(s) should be read from disk. When multiple keys are specified, RRset
+* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
   will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
   ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.