In article <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA@mail.gmail.com> you write:
Except that this just shifts the burden of trust on to DNSSEC, which also necessitates a central authority of 'trust'. Unless there's an explicitly more secure way of storing DNSSEC private keys, this just moves the bullseye from CAs to DNSSEC signers.
It does, but it also limits the damage. If you lose your DNSSEC key, bad guys can forge names below you in the DNS tree. If you lose your CA key, bad guys can forge any name they want. Or to look at it another way, if I put effort into securing my own DNS, and I am careful about the providers above me in the tree, I can limit the chance of DNSSEC compromise. With SSL, it doesn't matter what I do, I'm always at the mercy of the next Diginotar. R's, John