Scott, the DNS is in this use simply a distributed database, that with DNSSEC seems reasonably secure. The heirarchy in the DNS-protocol-using distributed database used for IP address to origin AS mapping need not branch off the DNS-protocol- using distributed database used for domain name->address mapping and the like, which we normally just call the DNS. Remember moreover that what one is doing is simply grabbing entries from a distributed database which can be used to synthesize a table which would be consulted by BGP border routers in determining whether to accept or reject a route. One could conceivably have a single zone which could be snarfed from well known places using the latest in authenticated file transfers. However, decentralization of work already happens in the transfer of IP address blocks from regional registries to local registries to more local registries still, and it seems to make sense to simultaneously distribute the work of maintaining the address-block-to-originating-AS map as well. Therefore, what one wants is a "root" which one can find at well known places and can retreive using the latest in authenticated file transfers, and which allows one to follow an authenticated tree of delegated zones in building a local table of mappings. Whether this "root" is really a parallel "." or something else seems academic; one will require the same mechanism to retrieve a cryptographically-authenticated copy of the "root" from well known sources that can prove, cryptographically, who they are. The solution proposed is incomplete, certainly, but not because of possible political instabilities in what we call the DNS. I am not sure why you raise the issue of trusting IP registries to delegate authority for any given subzone along with the addresses themselves. This doesn't seem to make sense. Perhaps you could explain this concern a little more concretely? Sean.