"The handwriting is on the wall: the root will be signed, but when and how I don't think anybody knows," Crocker said. "How fast do they need to go? It's a question of how soon do you need to shut the barn door."

Experts say there is no technical reason preventing Commerce from mandating DNSSEC deployment across the 13 root zone server clusters in 2009.

"The root zone has 300 TLDs in it," Crocker explained, adding that deploying DNSSEC on the .com domain is a more difficult issue because it has 70 million domain names.

VeriSign, which operates the .com domain, has within 24 months.

Getting the root signed "is a very important issue, and it's an obvious next step," says Ram Mohan, CTO of Afilias, which operates the .info domain. "The other clear thing that needs to be done is an end-to-end test. Given that a significant top-level domain such as .org will soon be signed and then the root is signed, we need to look at DNSSEC from end-to-end."