dougm> You are right, if you can compromise a registrar that permits dougm> DNSSEC to be disabled (without notification/confirmation to POCs dougm> etc), then you only have a limited period (max of DS TTL) of dougm> protection for those resolvers that have already cached the DS. johnl> As far as I can tell, that's roughly all of them. If you have johnl> the credentials to log in and change the NS, you can change or johnl> remove the DS, too. Yes, though with the 1 day TTL most registries put on DS records, you at least have the chance to notice your DS has changed or been deleted and attempt to recover your registry account. That is somewhat a "locking the barn door" approach, and 2FA and other account security is the best solution. However, we are in a world now where every layer of security we can add is probably a good idea and having a day to notice could be handy. DNSSEC isn't useless but it solves one specific problem, end to end data integrity. It also requires operational cleanliness and attention to detail. We shouldn't make claims about what it can't do; we're much better off getting everyone to understand what it does and doesn't do. And underline what other security best practices they should be following. If someone owns your registry account, you're screwed. And right now, it tends to be the most neglected part of the entire zone ownership world. Let's use this opportunity to help folks lock down their accounts, not muddying the waters with dubious claims.