2 Apr
2007
2 Apr
'07
10:45 a.m.
Hi,
Wouldn't the holder of these keys be the only ones able to spoof DNSSEC?
Yes. This is an assumption of DNSSEC, regardless of who signs the root. The implication of this (and the fact that emergency key rollover requires everyone on the planet with a validating resolver to update the root trust key manually) is that protecting the root key signing key is a bit important. Rgds, -drc