On Tue, Oct 27, 2009 at 6:26 PM, Milton L Mueller <[log in to unmask]> wrote: > ________________________________________ > From: Jorge Amodio [[log in to unmask]] > >>DNSSEC is not a magic solution and it's only one of the tools to start building >>a more secure infrastructure, and as McTim said just signing the TLDs don't >>do it, since the "chain of trust" starts from the root. > > It doesn't have to start from the root. There can be a Trust Anchor Repository instead. TARs are a temporary, non-scalable measure. One key is easier to configure, rollover, etc. Managing multiple keys (dozens or hundreds?) would not be workable. The design of DNSSEC is a chain of trust, followed from the root on down, hence one key. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel