In addition to everything else that's wrong with DNSSEC, using Shamir to share a digital signature key is a silly idea. Multisignature trust systems / threshold signatures provide the same functionality, but without having a single secret that has to live on one computer at a single time. While I know they did their due diligence to prevent the leak of the DNSSEC root key, it's a problem they could've easily avoided by using an incredibly boring design rather than a more "clever" one like Shamir. As things stand, there is actually one key that could completely destroy DNSSEC and require the thing be bootstrapped again from scratch.