It's clear that the terms 'security' and 'Internet' have been antonyms from the start, but recent events, such as the disclosures of widespread surveillance on the Internet, have lead to greater awareness of this issue. The current framework of domain name certificates has been the subject of continuing abuse from the outset, and we will look at why this is so. From there we move to alternate approaches to securing the association of names and addresses and in particular look at DANE, or Domain Keys in the DNS. But DANE requires a trustable DNS, and that requires security in the DNS, or DNSSEC. DNSSEC uses a hierarchy of overlocking digital signatures, and at its apex is the root Key Signing Key. We are now at the time when it was promised that the root key would be replaced with a new key. But doing so will be tricky, as the protocol relating to DNS security does not specify key roll clearly. The talk will try to explain why we are currently in the mess we're in. Presented on 3 December 2015.