Tony, Thanks for this explanation! I think this is what I've been looking for regarding securing DNSSEC.
and how about a end user, who doesn't understand a computer at all, to be able verify the signatures, correctly?
The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since the validator is a black-box agent acting on the user's behalf, like any other software.
It is also required by the root key management policies, since a root key rollover takes a small number of weeks, much shorter than the not-in-service shelf life of validating software and hardware. This means that a validator cannot simply use the root key as a trust anchor and expect to work: it needs some extra infrastructure supported by the vendor to authenticate the root key if there happens to have been a rollover between finalizing the software and deploying it.
Tony.
-- //fredan