>> The root must be signed. > > I am moving to the conclusion that the root should not be signed. The crypto-politics involved are increasingly complex and scary, and the root is already too much of a political football. DNSSEC just makes the whole DNS that much more rigid, complex and contentious. Don't rush your conclusion, I agree with the statement that who signs what and how is a a very contentious issue and there is a lot of politics involved, but the risk for a new attack is very high. Read the following article and I'll get back with more comments. http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1360143,00.html# Regards Jorge