In summary, Brenden explains the two approaches to cope with a sparse DNSSEC deployment in the zone hierarchy, the manual configuration and DLV, and concludes, rightly, that root signature is the way to go. This last Friday, I brought up two contributions to address these two issues. I should resist my personal modesty and say "significant contributions." Actually, it's the synergy between the two that I find promising. By the phrase "DNS root nameserver substitution for DNSSEC purposes," I try to legitimize an alternate root operation in which the IANA root zone file contents is not put into question, except that DNSSEC support at the root is introduced. The first contribution (http://www.ietf.org/internet-drafts/draft-moreau-srvloc-dnssec-priming-00.txt) applies SLP, the Service Location Protocol (RFC2680) to facilitates the DNS resolver configuration within an SLP administrative domain (not to be confused with a DNS domain), that is, a scope in the universe of DNS *resolving* entities, e.g. a multinational corporation, a government, a campus, or perhaps a consortium of ISPs. This can be done in a two-tiered arrangement, where a first tier does the DNSSEC signature and key management, and a second tier operates the substitute nameservers. A smaller number of operators in the first tier than in the second tier. The first tier deals primarily with cryptographic key management, the second tier runs root nameservers on the public Internet. The first tier may spawn many SLP administrative domains., the second tier may be more focused. So, a clever deployment of SLP deploys a signed DNS root! Without waiting for ICANN. Without a single alternate root facing the global Internet scaling issue. So far, so good. The second contribution (http://www.connotech.com/optin_for_dnssec.pdf) is an opt-in scheme for direct delegation, say from the signed root zone to a signed example.com zone. In contrast with the DLV scheme, this new form of delegation does not require any on-line nameservers, just a few additional DNSKEY and signature entries in two signed zones. The R&D department at Verisign contributed to the latest addition to the DNSSEC protocol suite, known as NSEC3, notably to promote an "NSEC3 opt-out" provision in the protocol. The huge size and growth of the .com zone might have been a show stopper for DNSSEC without NSEC3 opt-out. My opt-in proposal altogether circumvents a lack of DNSSEC support in large TLDs. Sounds magic? Well, there is a limitation, and deployment does not come without pain simply because the community does not have to wait for ICANN and large TLDs. . The limitation is a known loophole in the DNSSEC security services: the opt-in proposal has a similar caveat as NSEC3 opt-out with respect to the DNSSEC security service called "authenticated denial of existence" - the attractiveness of the original DNSSEC deployment scenario is intact. . The provisioning of opt-in delegations is comparable to the provisioning of secure delegation from a secure parent zone. No free lunch here. . Circumventing large TLDs requires a signed zone, so the SLP deployment remains in the todo list. ICANN has a monopoly for TLD registrations. Verisign has a dominant market position, if not a monopoly, as the .com registry. It is perhaps a good thing that initial registration of SLD (second-level-domains like example.com) in the DNSSEC service be done by a service entity enjoying the artificial monopoly created by may patent application. The whole thing is about reaching a critical mass; initial market fragmentation would be counterproductive. For those who ideologically oppose patents, I refer to the conclusion of a committee chaired by late Georges Washington. Unfortunately, the comment period for this committee is closed, see http://www.archives.gov/national-archives-experience/charters/constitution_transcript.html#1.8.8. Actually the US constitutional basis for the patent system had a significant impact on the current international intellectual property regime; we just live with it. The status of each contribution is self-explained from the respective documents. I think it is too early to tell how either one, or their synergy, may withstand review and critique, and in which form they may move forward.