Just extracting one sentence out of Randy's e-mail:
no. you just want me to hold the trust keys for the zones you think are important. and, in today's email (for some value of 'today'), brett warns us that he has a handful of third level zones he thinks are important enough.
hence "does not scale."
RIPE NCC thinks it is important enough to sign the zones. If any of these handful of third level zones is not important enough for your operations to go through the trouble of validating then you do not need to configure them; During early deployment of DNSSEC, there is a burden for the validating clients. I agree that if we do not get to a point where validators only have to configure between one and a handful of trust-anchors and those trust-anchors get automatically rolled DNSSEC will not reach the masses. On the other hand we have to start deploying somewhere. Olaf Kolkman PS: The IETF DNSEXT group has a work item on automatic key-rollover; work is progressing slowly.