Over on the DNSSEC deployment list (http://mail.shinkuro.com:8100/Lists/dnssec-deployment/Message/702.html?Language=), Dan Mahoney posted: "So I (a .org user) was once again looking at pir.org to find out where they stand on DNSSEC, and it looks like it's going to be a long, uphill battle. On http://pir.org/Strengthening/DNSSec.aspx, Paragraph 7, Quote: In addition, the implementation challenges for DNSSEC are not trivial. Success depends on sufficient interest, capital outlay and the integration of DNSSEC support in DNS resolvers all over the world. After all, if a zone is signed and is available only to applications that can recognize and authenticate the signature, any application that attempted to access the domain or Web site without the ability to perform this authentication would fail. All legacy applications (i.e., Windows 95, old browsers and old e-mail applications) would have to be either upgraded or discarded in such a situation. End Quote Is it me or did whomever wrote that REALLY not understand how DNSSEC works? A DNSSEC zone contains all the same records as its unsigned counterpart, and the additional signature information won't be sent along unless asked for." The point here is that a significant hurdle for any new technical standard is whether or not it is backward compatible. This is because there can be major switching costs involved in adoption. DNSSEC was designed to be backward compatible, secured nameservers will continue to resolve requests from resolvers which are not security aware. Although that does not mean there aren't other costs that registries could incur in deploying the technology.