With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are not be trusted, but to figure out how DNSSEC affects the power they could exercise in theory.) For example: ICANN owns the root zone The .de zone is delegated to DENIC, Germany. Assume example.de is delegated to some 3rd party. Now, assuming DENIC does not remove example.de from their zone, would it be possible for them to redirect the subdomain abc.example.de elsewhere by returning signed records from the .de servers for abc.example.de ? Similarly, would it be possible for the DNS root to easily return signed fake records of a third-level domain xy.z while the second-level zone z is not participating in this and is not affected otherwise?