Security theater for DNSSEC
The Singapore event included an elaborate technical ceremony to create and then securely store numerical keys that will be kept in three hardened data centers there, in San Jose, Zurich and Singapore. The keys and data centers are working parts of a technology known as Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a directory that connects names to numerical Internet addresses. Preliminary work on the security system had been going on for more than a year, but this was the first time the system went into operation, even though it is not quite complete.
The three centers are fortresses made up of five layers of physical, electronic and cryptographic security, making it virtually impossible to tamper with the system. Four layers are active now. The fifth, a physical barrier, is being built inside the data center.
As the recent compromises of RAs at Comodo showed us, the weak link in PKI is almost never the CA itself, and a clever hacker will always go after one of the weaker links instead of trying to get the CA's private keys. And it certainly looks like the fortresses that are being built in San Jose, Zurich and Singapore are really designed to keep hackers away from those very keys.
So if a hacker wants to compromise DNSSEC, they almost certainly won't try to beat the security of one of the fortresses. They'll do something much easier like compromising an RA. That means that all of the expensive layers of security around the DNSSEC root keys are probably just for show. They may make people feel better about the security of DNSSEC, but they probably don't really add much actual security because they're designed to defeat attacks that never happen. And these attacks still wouldn't happen if the security measures around the keys weren't as tight.