If a tug of war develops, whoever holds the keys wins, since without the keys, you can’t publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. (Take that, ORSC.)
DNSSec may break the present attempt to demonstrate to Iran that US control of ICANN is not a threat to their national security. Do we really need the root signed? Apparently this is done to prohibit cache poisoning, but it has the additional advantage of solidifying ICANN's control of internet addressing. If you can't install an alternate key in your computer DNS may only work with officially recognized providers. This would be bad.
ICANN Gets the Root Zone, Too