Oh dear! Now there would be a legal definition for DNSSEC. Let me look into this. "During the Term, Registry Operator shall" ... ... "comply with RFCs 4033, 4034, 4035, 4509 and 4310 and their successors, [and optionally] with RFC 5155 and its successors." While this looks like protocol compliance as usual, I am puzzled: a new gTLD registry operator may well have a business model with little emphasis on IT security in general or DNS data integrity protection (after all, the whole Internet has been run this way until quite recently). You would expect a minimum compliance behavior from such an operator. ..."follow the best practices described in RFC 4641 and its successors." Seldom enforceable! In payment system networks where individual participants would seek minimal operating costs, the minimum compliance behavior is ultimately defined by mandatory external auditing provisions, based on detailed operating standards. Nothing similar with DNSSEC where operational practices are documented with the premise that registry operators are willfully seeking effective IT security protections. ..."accept public-key material from child domain names in a secure manner according to industry best practices." Is this a joke or a revelation? What are the industry best practices? To which registrar model are they applicable? To which DNS management arrangements are they applicable? Do they require proprietary technology licensing? Actually, this refers to one of the least understood aspects of DNSSEC deployment. ... "publish in its website the practice and policy document (also known as the DNSSEC Policy Statement or DPS) describing key material storage, access and usage for its own keys and the registrants’ trust anchor material." Plain bureaucratic overhead. Nowadays, it seems fashionable to make DNSSEC operations similar to X.509 PKI. Overall, the decision to make DNSSEC support mandatory for new gTLDs is both ill-advised, discriminatory towards new gTLD entrants, counterproductive in view of the DNSSEC goals, and maybe a useless barrier to innovative gTLD business models in which the DNS integrity is only a secondary concern. Admittedly, this opinion is strongly worded. The above citations are a correct definition of DNSSEC support by a registry operator, if there was an urgent need to use one in a contract language. But the vagueness associated with the technical requirements would have to be addressed as such in contractual provisions, e.g. joint determination of future technical specifications or something else. This shouldn't be all implicitly delegated to the IETF.