This attack is prevented by DNSSEC chains of trust. Just because Verisign sign the root and .com, doesn't mean they can undetectably fake a response from further down the tree, because they don't have the keys for that.

They could sign a false delegation, in which case it would be instantly detectable because it wouldn't match any other published delegation data.

You could execute this attack on a single target, assuming you can sit inline with their IP transit and spoof DNS responses from the listed nameserver, but that isn't SOPA.

Finally, no-one owns the root key. You should take a look at the root signing ceremony. That's quite of list of people you'll have to compromise. Have fun working out how to hack it.

er, no.

if you sign a zone, *you* have its dnssec keys, not verisign. the only action your parent zone can do - verisign in the case of .com or .net - is delete your delegation or the info that says it's signed. which they could do anyway. this would not be undetectable. in fact it would be glaringly obvious. people usually notice when names in the dns fail to resolve.

as for "the one key to rule them all", you've got that utterly wrong too.

the only thing the parent zone could do would be to remove the child's delegation or delete the info that says the delegation is signed. that could not go unnoticed. if the root tried to do that to a tld, it would be very, very far from undetectable. it would also create an almighty shit-storm because it would destabilise the security and stability of the internet, inferfere in matters of national sovereignty, force a united nations organisation to "take control" of the root, etc, etc.

you clearly don't understand how the root zone is signed either. no single entity has access to the root zone's key signing key: the one key that really does rule them all. the system and processes were intentionally designed that way. access to this key requires a group of trusted community representatives to gather in one place so that the key can be assembled. [the details are more complicated than that and would take too long to explain here.] the upshot of this is iana or icann would need these trusted community representatives to co-operate with any court orders.

the names and nationalities of these representatives is published. the majority of them are not american citizens.

i think you need to get yourself a new tin-foil hat 'cos the one you're wearing is obviously defective.

3.1415926539....

Didn't politicians once legislate that Pi = 3 in law?

Idiots isn't nearly strong enough. On any rational scale, politicians would have to have negative IQs, if zero is taken to be the result of random guessing.

I use DNSSEC all the time, for distribution of my ssh keys.

If you visit https://dnssec.imperialviolet.org/ with Chrome then you have also just used a DNSSEC chain of trust to validate the hash of a SSL certificate.