How the next round may integrate IPv6 only DNSSEC requirements

The upcoming round of new gTLD applications presents a timely opportunity for ICANN to integrate more advanced internet infrastructure standards into the very foundation of the domain name system, particularly through the potential introduction of IPv6-only DNSSEC requirements. As the global internet continues its transition away from IPv4 due to address exhaustion, and as the security threat landscape grows more sophisticated, there is mounting pressure for domain registries and DNS operators to fully embrace modern standards that enhance both scalability and trust. Combining mandatory DNSSEC with IPv6-only support for new top-level domains would represent a bold step in aligning the DNS with the future of a secure and sustainable internet.

IPv6, developed to replace the limited 32-bit IPv4 address space, offers a nearly inexhaustible pool of 128-bit addresses, allowing for massive expansion of devices and services on the internet. Despite being available for more than two decades, IPv6 adoption has been slow and uneven across regions, ISPs, and enterprise networks. Many parts of the internet infrastructure, including large portions of the DNS ecosystem, still rely heavily on dual-stack configurations or default to IPv4. ICANN has historically supported the transition through policy encouragement and operational support but has stopped short of requiring IPv6-only compliance for new TLDs. The next gTLD round, however, may mark the inflection point where ICANN chooses to embed IPv6 readiness into the foundational requirements for registry operations.

This shift would not be unilateral. Instead, ICANN could specify that all authoritative name servers for new gTLDs must be IPv6-enabled and, optionally, operate in an IPv6-only mode during DNSSEC signing and resolution operations. DNSSEC, the security extension for the domain name system, adds cryptographic signatures to DNS records, allowing resolvers to verify the authenticity of the data they receive. While DNSSEC adoption has increased significantly among TLD registries, its implementation still varies in sophistication, particularly when dealing with key management, zone signing automation, and chain-of-trust validation.

Integrating DNSSEC with IPv6-only infrastructure presents both challenges and opportunities. On one hand, requiring IPv6-only name servers for DNSSEC-enabled zones pushes the ecosystem toward necessary modernization. It would compel registry service providers to ensure their authoritative DNS platforms are fully compatible with IPv6 transport, including provisioning, monitoring, failover, and query response behavior. This could accelerate the retirement of legacy systems and catalyze innovation in DNS hosting and security tooling. On the other hand, it demands robust auditing tools and operational maturity from both registries and registrars to prevent configuration errors that could break name resolution or disrupt DNSSEC validation paths.

ICANN could implement this requirement as part of the Registry Agreement for new gTLDs, embedding IPv6-only DNSSEC compliance into the technical and operational criteria assessed during pre-delegation testing. Applicants would need to demonstrate that their DNS architecture supports native IPv6 transport for all signed zones, that their DS records are properly submitted to the root zone, and that their key rollover procedures are compatible with IPv6 query behavior. Additional test scenarios could be introduced into the ICANN Technical Evaluation phase to validate IPv6-only recursive resolver compatibility, response latency under IPv6, and fallback behavior in environments without IPv4 connectivity.

A phased approach may be adopted, where initially, IPv6-only DNSSEC support is mandated for a subset of new gTLDs targeting high-security or government applications, followed by a broader rollout. Alternatively, ICANN may provide financial or technical incentives—such as application fee credits or prioritized processing—for applicants that voluntarily commit to IPv6-only operation with DNSSEC during the early stages of delegation. This model encourages proactive adoption while still allowing less technically advanced applicants time to upgrade their infrastructure.

The broader impact of this integration would be significant. By mandating IPv6-only DNSSEC for new gTLDs, ICANN would signal to the global internet community that future namespace expansion is inherently tied to best practices in security and scalability. It would normalize IPv6-only operation within the DNS ecosystem, reducing reliance on transitional dual-stack configurations and promoting native IPv6 routing and peering. Moreover, it would push DNS hosting providers, ISPs, and hardware vendors to ensure that their platforms can handle IPv6 DNSSEC queries at scale, leading to a more secure and interoperable global internet.

Another advantage of this policy is the potential for better alignment with emerging technologies such as 5G, IoT, and edge computing—all of which depend heavily on IPv6’s expanded address space. Many of these technologies also depend on automated, secure service discovery, for which DNSSEC provides essential integrity guarantees. Enabling TLDs to function natively in these contexts requires seamless IPv6 operation, especially as mobile networks increasingly shift toward IPv6-only modes to improve performance and reduce address translation overhead.

However, ICANN must also consider the risks of setting too aggressive a requirement. Some regions, particularly in the Global South, still struggle with IPv6 deployment due to infrastructure constraints, lack of training, or economic barriers. Forcing IPv6-only DNSSEC compliance could inadvertently exclude otherwise qualified applicants or create a digital divide in namespace access. To mitigate this, ICANN could pair any new requirement with expanded technical support programs, capacity-building initiatives, and partnerships with regional internet registries to facilitate IPv6 infrastructure deployment.

Finally, integrating IPv6-only DNSSEC requirements could help address long-standing concerns about DNS abuse, including cache poisoning, MITM attacks, and unauthorized redirection. By creating a DNS environment where authenticity and integrity are mandatory at the transport and resolution layers, ICANN can increase end-user protection, improve trust in new TLDs, and limit the surface area for cyberattacks. This would align with broader global efforts to secure critical internet infrastructure and ensure DNS resiliency in the face of geopolitical, technological, and ecological challenges.

In conclusion, the next round of new gTLDs offers an unprecedented chance to make IPv6-only DNSSEC a default, rather than an exception, in the digital naming system. While the transition requires careful planning, policy nuance, and stakeholder engagement, the long-term benefits are compelling: a more scalable, secure, and future-ready internet, anchored by a DNS that reflects modern architecture and global digital responsibility. If implemented effectively, this evolution could become a defining characteristic of the next generation of domain names.

The upcoming round of new gTLD applications presents a timely opportunity for ICANN to integrate more advanced internet infrastructure standards into the very foundation of the domain name system, particularly through the potential introduction of IPv6-only DNSSEC requirements. As the global internet continues its transition away from IPv4 due to address exhaustion, and as the…