DNSSEC just makes things more visible. Once deployed, every nameserver system administrator will encounter a configuration element, i.e. root trust anchor, which is cryptographically bound to some "entity." No worry for the overwhelming wast majority of cases. But in the very few cases where the "entity" qualification matters, it triggers an escalation of political concerns. The political concerns are already influencing the way the USG is handling its unique oversight position over ICANN. DNSSEC does not change this, it just makes it more acute. I would like to see the view that DNSSEC changes nothing supported by a better document. The current one assumes the RZM function to be separate from IANA, while in fact it is being "transitioned" to ICANN, by the will of the USG and the efforts of IANA (and Verisign?). Turning to DNSSEC technicalities, does it matter that root KSKs and ZSKs are generated and used by a single entity? - Thierry Moreau