I thought your first comment was just grumbling, but this comment
suggests some misunderstanding.
The root zsk is split over a group (Shamir share) held by
mostly non-US key holders. (One from the US is Dan
Kaminsky, whose work and my user name has special
relevancy for you. You'd agree he's not part of the US
government.)
I believe all the key holders are trustworthy, and if any were
not, you'd need a majority (5 of the 7) to subvert the zsk.
So an xkcd-wrench-style attack on the key by governments would
require implausible circumstances.
The key ceremony is video taped and can be watched:
https://www.youtube.com/watch?v=b9j-sfP9GUU
Other TLDs (some being countries) also hold key signing
ceremonies and video tape them. You can watch other
countries perform key signing as well. But these sovereign zsks are
subordinate to the ICANN community held keys.
I.e., it's more accurate (than your statement) to say that
there are seven people walking the earth who have
parent keys over actual country soveriegn zones. And while you
might not know all these people yourself, they're from the DNS
operator and hacker community. If anything, you're 180 degrees
wrong in your statement that governments run DNSSEC.
You can read more about the DNSSEC root zone key management
process and people (non-governmental) online. Here are informal
press stories with the usual set of mistakes and minor errors:
I don't see the government in DNSSEC. Not even ICANN
can alter the root zsk (but they are of course instrumental
in any key roll over, since they manage the physical facilities
where the "DNSSEC Seven" must be iris scanned, etc., to sign
any proposed new root key).
The root zsk is split over a group (Shamir share) held by mostly non-US key holders. (One from the US is Dan Kaminsky, whose work and my user name has special relevancy for you. You'd agree he's not part of the US government.)
I believe all the key holders are trustworthy, and if any were not, you'd need a majority (5 of the 7) to subvert the zsk. So an xkcd-wrench-style attack on the key by governments would require implausible circumstances.
The key ceremony is video taped and can be watched:
Other TLDs (some being countries) also hold key signing ceremonies and video tape them. You can watch other countries perform key signing as well. But these sovereign zsks are subordinate to the ICANN community held keys. I.e., it's more accurate (than your statement) to say that there are seven people walking the earth who have parent keys over actual country soveriegn zones. And while you might not know all these people yourself, they're from the DNS operator and hacker community. If anything, you're 180 degrees wrong in your statement that governments run DNSSEC.You can read more about the DNSSEC root zone key management process and people (non-governmental) online. Here are informal press stories with the usual set of mistakes and minor errors:
And the root DNSSEC operation in general: I don't see the government in DNSSEC. Not even ICANN can alter the root zsk (but they are of course instrumental in any key roll over, since they manage the physical facilities where the "DNSSEC Seven" must be iris scanned, etc., to sign any proposed new root key).