The main counterpoint to this was raised, IIRC, by Eric. He may offer a better take on this than I, but here's how I recall the point. For those community-based TLD proposals from poorer economies -- the ones for whom the JAS group has been formed to try to lower costs -- the use of one of the big registry operators is *not* a given, and in these cases the cost of implementing DNSSEC could be significant. Not all TLD proposals exist just for the money. There are a number of well meaning proposals that seek to duplicate the success of .cat to use a TLD as a focal point for a cultural, ethnic or linguistic community. Some of these may envision using other registry operations that may not assume DNSSEC -- in these cases, mandatory DNSSEC for all is part of a barrier to entry. - Evan On 7 April 2011 11:44, John R. Levine <johnl@iecc.com> wrote:
I note that this statement calls for the new gTLD program to make DNSSEC
optional rather than mandatory. (There are specific kinds of TLDs for which DNSSEC should be mandatory IMO, but that's outside the scope of this document)
Realistically, a handful of registry operators will provide the back ends for all of the new TLDs, and they all can do DNSSEC, so there's litle practical reason not to require it. End to end DNSSEC is not ready for prime time, but the structure of a TLD is simple enough (just delegations and glue records) that there's little technical risk.
Personally, I would like to require that registrars and registrants also do full DNSSEC signing, since that will bring registrations in these useless domains to a screeching halt.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
-- Evan Leibovitch, Toronto Canada Em: evan at telly dot org Sk: evanleibovitch Tw: el56