The Domain Name System (DNS) is a distributed tree-based database largely used to translate a human readable machine name into an IP address. The DNS SECurity extensions (DNSSEC) have been designed to protect the DNS protocol using public key cryptography and digital signatures. In this paper, the authors show how DNSSEC can be attacked using compromised keys and the consequences of such attacks. Then, they propose a new revocation scheme for DNSSEC based on two new resource records. There is currently no revocation system defined in the DNSSEC standard.