The step that takes the zone contents and signs it just before publication, of course. There is no need to systematically revise the root zone management process as the input to the zone signing process is the already modified zone. In reality, DNSSEC has precisely zero impact on Internet governance. The _only_ thing DNSSEC gives you is the ability to determine whether or not a set of resource records in a zone has been modified between when it was published on the authoritative server and when a client (typically a caching resolver) has fetched it. Rgds, -drc