Comment by ggm

Run local root. Rootservers are not essential. It's in ietf draft discussion now as 4 documents but already works and just has to be turned on.

If you want to change pace, ask your dns sw provider to turn on local root by default.

(One of the things being defined is how to get a root zone trustably out of band using the new ZONEMD checksum)

A bigger question might be why there are no ICANN HSM outside the USA to generate root zone signings. ICANN has offices in Geneva and Singapore, it would not be hard to find secure DC locations for the signing ceremonies.