I note that this statement calls for the new gTLD program to make DNSSEC optional rather than mandatory. (There are specific kinds of TLDs for which DNSSEC should be mandatory IMO, but that's outside the scope of this document)
Realistically, a handful of registry operators will provide the back ends for all of the new TLDs, and they all can do DNSSEC, so there's litle practical reason not to require it. End to end DNSSEC is not ready for prime time, but the structure of a TLD is simple enough (just delegations and glue records) that there's little technical risk. Personally, I would like to require that registrars and registrants also do full DNSSEC signing, since that will bring registrations in these useless domains to a screeching halt. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly