"Is that one step?" Conceptually speaking, yes. Technically, it may consist of multiple steps, but in terms of root management procedures, it is a single step. Output of the root modification procedure is fed to the DNSSEC signing procedure and the output of that procedure is fed to the root zone publication procedure. "who controls the keys?" Indeterminate at this time (at least I am unaware of any decision regarding who holds the root KSK). How is that relevant to systematic revision to the root management procedure? "If you define it more broadly (...) as the preparation of the zone file for publication, then lots will change." OK, I'll bite. Define "lots". From a technical perspective, little needs to change and there certainly is no requirement for "systematic" revision to procedures in order to implement DNSSEC. Presumably, you believe there are non-technical changes that will be required. What are they? Rgds, -drc