As noted by previously by IGP, it is not entirely clear where requirements for DNSSEC in the Draft Applicant Guidebook emerged from within the ongoing consultation. Public comments to date from several organizations are mostly negative, including China Organizational Name Admininstration Center (CONAC), Uninet Bulgaria, Domain the Net (Israel), DotAfrica, Regtime (Russia), and CORE (Switzerland). They cite a variety of concerns, ranging from potential conflicts with deploying IDNs, to conflicts with local and national laws, to concerns about data escrowing, and question whether it is appropriate for all registries. In general, they argue that requiring DNSSEC could prevent new gTLDs.
Registry Operator shall implement Domain Name System Security Extensions (“DNSSEC”). During the Term, Registry Operator shall comply with RFCs 4033, 4034, 4035, 4509 and 4310 and their successors, and follow the best practices described in RFC 4641 and its successors.
RFC4509 stipulates a specific implementation from the RSA/SHA family of hash algorithms to create certain DNSSEC related resource records. Now this might seem an arcane technical detail, but when examined through the lens of standardization, it reveals the degree to which ICANN policy is being used to influence what standards are implemented, and how that can shape competition in global markets for new gTLDs and cryptographic products.