Re: Sign each TLD separately?

I've not read all of the DNSSEC RFCs, but the way this works for HTTPS is that your system (by nature of installing the web browser) has a list of trusted root publickeys, and each key lookup is a chain of signatures which must end up being signed by one of the configured roots.

RFC 4033 similarly implies that you can store a list of "trusted root keys", i.e. a country such as China could easily add extra keys, or a company can add it's own root key for signing internal web sites instead of paying Verisign for internal systems.

As such, the article says "in the simplest case, a single root" but a non-single solution could also be possible. It depends on how keen people really are to implement DNSSEC at all.

A possibly bigger political question is what the companies who sell HTTPS certificates will make of this, given that DNNSEC may overlap or reduce some of the need for HTTPs, and the current market for HTTPS certificates makes a bunch of money. This therefore raises the question of who would get the money for all of the DNSSEC certificates if there's a single root signer.