It is believed that non-US countries will find this move unacceptable, because it will make the US agency capable of falsifying DNS responses, as part of national espionage.

I guess it’s mostly a matter of the expectations that non-US nations have from DNSSEC in the first place.

If I understand this correctly, the situation as it would be once DHS has the keys will be no different than what it is today. The US will be able to spoof DNS responses that are resolved within its cloud. To forge a DNS response you need not only to be able to sign as a DNS server, but you also need to be (on the path of) the DNS server that is asked. This is not different than the situation as it is today, and non-US countries still use the Internet.

The question is whether or not these non-US countries ever expected DNSSEC to solve their problems with US national surveillance. I have no facts, but I believe that they never did. After all, there is some master key somewhere and this master key is kept by someone (I am not sure if key splitting was ever considered). As far as national intelligence is concerned, there is no difference between having the keys held by a “.org” or by a “.gov". The keys are in some nation’s jurisdiction and are thus subject to subpoenas that are enabled by some government with its own legal system that the community has no control over. Be it the US, or the EU, or anyone else.

DNSSEC, I think, comes to solve the problem of hackers who fake DNS responses to phish for your credit card details; not against national espionage. And; If you don’t expect — you are not disappointed…