(1) I'm not trying to impugn the good work that was done in securing the root key. It was good work, and I think it was very cool. I am just asking if, despite that good work, an NSL could get around it. It's a fair question. The answer may be "no," or "not without it becoming public," or "with great difficulty." I doubt it's "easily." But it's worth asking. When you did the root signing, we were certainly thinking about this threat model, but it was a bit more academic then than it is now. I think we still had some illusions that the U.S. government at least would choose a more constrained attack than taking the key to everything; we now know that the government feels no such burden of restraint—they apparently feel that they can be trusted with that key, and we should be willing to provide it. (2) This attack is actually easier on TLDs than on the root, so I really asked the wrong question. Although taking the root would be useful, it would be less useful than taking .COM and .ORG and .EDU. With any of those keys, your chances of doing a mass attack on a single DANE-secured domain are much better. (3) So, are they all as secure as the root?