The IGP Blog has a post about an important subject that is flying under too many radars, IANA's DNSSEC testbed signs root zone. I'll quote some key paragraphs, but it is worth reading the whole thing:

IANA is generating new zone signing keys (ZSK) monthly, using a script based upon Public-Key Cryptography Standards #11 as published by RSA. IANA maintains it is committed to make the sources of the system public. IANA's approach is to generate 3 overlapping ZSKs, one of which is "active" at any point and used to sign the root zone. The ZSKs are signed using one of 2 overlapping key signing keys (KSK), both of which sign the bundle of 3 ZSKs. In the event of emergency rollover, IANA relies upon a scripted procedure that migrates from the compromised key to the new, already "socialized" key. A status page for the testbed is available.

Based on this scant information, it does appear IANA is trying to move the ball forward on signing the root. However, the critical DNSSEC policy issue of who controls the root keys is still unresolved. It appears that control of both ZSKs and the KSKs (aka the "keys to the Internet kingdom") will reside with a USG contractor, just as suggested in the DHS sponsored root signing technical specification. This is sure to raise an eyebrow of some ccTLD and root operators and others who see DNSSEC as just one more way of solidifying the dominance of the ICANN/IANA root, and with it USG political oversight.

The above approach also goes against a basic tenant of Internet architecture of diversifying critical infrastructure in order to improve security and reliability (e.g., similar to how anycast technology diversifies some of the Internet's root servers). Maintaining all root zone signing activity with one root key operator (RKO) (as opposed to the IGP proposal of spreading it across a few non-governmental RKOs) seemingly violates this tenant, and certainly increases the probability that ICANN/IANA would be liable should it falter in performing it's DNSSEC related duties. Of course, this assumes that ICANN/IANA is willing to offer some level of reliability for signed DNS responses it provides. And if they're not, it's unclear why any other organization would be willing to stick it's neck out to provide DNSSEC based services dependent on the ICANN/IANA trust anchor.

Why is ICANN supporting the centralized solution? Because it expects to hold the keys.

One more reason why IANA should be spun off from ICANN!