Ah my little relevance seeking academic, any one can put a trust anchor into Microsoft Windows. It’s the same as adding a new SSL certificate. It simply is not that hard. Why not even have a few to guard against innocent mistakes in any one root server constellation. Key rollover isnt the end user's problem either as it can be automated by whoever you pick as your root servers. The inflammatory and misleading arguments you often like to make may help your career but only (further) erode foreign relations by misleading other bureaucrats into thinking there is some control issue here. There isn’t. Give people the truth and let them decide for themselves. You have grad students – go ahead and build your own DNSSEC signed root and point to it. Works just fine. But maybe it is your and the plan of other IGF hangers on to continue to convince their employers that they are doing something important in an area that has no place for politics. I don’t begrudge anyone trying to hang onto their job but lets get real here. The thing to do here is to put the (real) technical people from all sides in a room to talk about it without “externalities” like govt peer pressure. They WILL arrive at the same conclusion like the previous writer said, DNSSEC just doesnt make a difference.