>
> The root must be signed.
I am moving to the conclusion that the root should not be signed. The crypto-politics involved are increasingly complex and scary, and the root is already too much of a political football. DNSSEC just makes the whole DNS that much more rigid, complex and contentious.
Anyway, in terms of priorities, DNSSEC comes at the end of the list in my book; it imposes the greatest burden on the root, it poses the greatest risks for a fairly small amount of added security.
Most of the enormous security problems we have on the Internet today will not be improved by DNSSEC implementation at the root. And many of the advantages of DNSSEC can be gained at the TLD level without signing the root.
IPv6 migration is far more important technically; new IDN gTLDs are more important economically.
My 100 won