On Nov 25, 2013, at 12:11 PM, David Conrad <drc@xxxxxxxxxxxxxxx> wrote: > What does that mean? Exactly what threat are you imagining an NSL would be used to hide? Hi, this is the FBI, we would like a copy of the DNSSEC root private key please, and don't tell anyone you gave it to us. The same attack would work on .com as well, of course, without bothering with the root key. To be clear, this is a threat that can be addressed, but we should be thinking about it as part of the threat model when talking about replacing CA PKI with DANE. In point of fact, I would argue that the two certificate hierarchies have different threat models, and that we ought to keep both and use them for cross-validation where appropriate, not just throw all our eggs in a different basket and hope for the best.