As expected, VeriSign placed its key material in the root zone
yesterday (click on the picture below to view more detailed key
information, etc.). Secure resolvers can now authenticate the .com key
starting from the root zone and validate DNSSEC secured domains in the
.com zone. Certainly a big accomplishment for the technical community.
By our count, USG funding to contractors for research and deployment of
DNSSEC has exceeded $20 million to date. Not much when one compares it
to the amount of commerce facilitated globally by the Internet. But
still, with the arguably most “important” zones now signed (from the
point of tipping DNSSEC adoption), a big question still remains – is
there any incentive for resolvers to validate?