The concern that the Lybian TLD registry might fake NS and/or DS records of 2LDs applies equally to unsigned and signed zones. So if that is a concern, why use an untrusted TLD, or why use DNS at all?
If you do not trust the Lybian TLD, configure a negative trust anchor for that TLD in your resolver.
Alternatively, if you want to pin that TLD to a particular KSK, configure that KSK as a (positive) trust anchor in your resolver.
If you do not trust the IANA at all, disable the IANA root in your resolver and add trust anchors for the domains you trust. Use lookaside validation if you find that too cumbersome and want to let others do that work for you.
Why did you pick an example that does not use DNSSEC? It seems your thesis would be a lot stronger if you used a top and second level domain that actually implemented DNSSEC:
root@fw:~# unbound-host -t A -v bit.ly
bit.ly has address 69.58.188.39 (insecure)
bit.ly has address 69.58.188.40 (insecure)
> Why did you pick an example that does not use DNSSEC?
Because I'm trying to illustrate how much additional security you might or might not get if you added DNSSEC, especially with regards to government entities.
The answer is "N/A." The .ly tld is not signed so DNSSEC could never attest to the authenticity of the A record for bit.ly.
In order for this to be a useful exercise you should structure the question in such a way that there is as much potential for government interference as possible. (Unless you are looking for a specific answer and you are trying to lead the respondent.) Government interference with DNSSEC is not limited to the `.` zone. Or put another way, DNSSEC's attack surface area is not limited to the sacred KSK.
