Design Goals Survive an N-1 key compromise (where N is the number of trust anchors at a trust point) Minimize other attacks (e.g. add of new keys by compromiser) Ensure common state at resolvers assuming resolvers query the DNSKEY RRSet in defined time. |