On Sep 12, 2013, at 1:49 PM, "Dickson, Brian"
<bdickson(_at_)verisign(_dot_)com> wrote:
In order to subvert or redirect a delegation, the TLD operator (or
registrar) would need to change the DNS server name/IP, and replace the DS
record(s).
Someone who possesses the root key could in principle create a fake DNS
hierarchy with relatively few strategic changes, and present it only to certain
attack targets. This would be expensive, but not impossible. It would not
work, for example, for dragnet-style surveillance.