A interesting note from a very smart person:
“This morning I woke up to find .gov missing. Now, I know that some people would find that an exciting, positive event. But on the net it wasn’t so positive, but it was exciting. What seems to have occurred is this: – DNSSEC keys for .gov expired – The rollover to new keys was such that some DNSSEC enforcing resolvers began to not accept .gov. – That, in turn, meant that to some users .gov had vanished. My ISP at home is Comcast and of the two name servers they provide for me to use, one had .gov the other did not. I’ve been chatting with my ISP, Comcast about this. They grumbled that this isn’t the first time something like this has occurred. So I asked “what lessons can we learn so that we (meaning those folks applying for new TLDs) can do things better?” I was vectored to the following two notes. I have not had time to do more than a very fast skim of these. But there might be some good stuff in there for us to incorporate into our DNSSEC procedures.