DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026
Home » DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026
Published: March 12, 2026
Beginning March 2026, Certificate Authorities (CAs) must verify DNSSEC signatures during CAA evaluation and Domain Control Valid
Europe’s Sovereign Search Plan is Really a Security Strategy
Home » DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026
Published: March 12, 2026
Beginning March 2026, Certificate Authorities (CAs) must verify DNSSEC signatures during CAA evaluation and Domain Control Validation (DCV) if DNSSEC has been enabled on the domain.
This change has been approved by the CA/Browser Forum through the CA/B Forum Ballot SC-085v2 (TLS) and SMC014 (S/MIME).
With this change, DigiCert has started validating DNSSEC during the process of domain control verification and CAA evaluation, effective March 3, 2026. This means that if DNSSEC has been misconfigured, the issuance of certificates will be denied.
This change may impact the issuance and renewal of TLS and S/MIME certificates for organizations that use DNSSEC.
DNSSEC (Domain Name System Security Extensions) adds security to the Domain Name System, securing DNS responses against malicious tampering through the use of cryptographic signatures appended to DNS records.
Rather than relying on the validity of DNS responses without verification, resolvers can check the legitimacy of DNS responses by establishing a chain of trust starting at the root zone.
When DNS data is digitally signed using DNSSEC, users and systems are ensured to be sent to the actual server(s) that correspond to their domain rather than being led to malicious sites through types of attacks like DNS cache poisoning or DNS spoofing, and man-in-the-middle interception.
Certificate Authorities (CAs) rely on DNS queries to perform Domain Control Validation (DCV) and check for CAA (Certificate Authority Authorisation) records during the issuance of a TLS or S/MIME certificate.
As part of a new CA/Browser Forum requirement that takes effect in March 2026, CAs will also need to validate DNSSEC signatures during these checks if DNSSEC is enabled on the domain in question. In cases where the DNSSEC is misconfigured or fails validation, then the CAs will not be able to issue/renew any certificate, thereby making the configuration of the DNS directly tied to the availability of a Certificate.
Aspect
Before March 2026
After March 3, 2026
Regulatory Requirement
DNSSEC validation during CAA and DCV checks was not mandatory.
DNSSEC validation is required if DNSSEC is present, per SC-085v2 and SMC014.
CAA Lookups
CAs checked CAA records without verifying DNSSEC signatures.
CAs must validate DNSSEC signatures for CAA lookups when DNSSEC is enabled.
DCV (Domain Control Validation)
DNS-based DCV could proceed without DNSSEC validation.
DNS-based DCV must validate DNSSEC if the domain uses DNSSEC.
Certificate Issuance Behavior
Misconfigured DNSSEC might not block certificate issuance.
Invalid DNSSEC signatures will block certificate issuance or renewal.
Affected Certificates
Existing TLS and S/MIME validation processes applied.
TLS (DV, OV, EV) and S/MIME certificates must follow updated DNSSEC validation rules.
Domains Without DNSSEC
No DNSSEC validation required.
No change – domains without DNSSEC are unaffected.
Operational Risk
DNSSEC errors might go unnoticed.
DNSSEC misconfigurations can directly impact certificate lifecycle and automation.
Missing DS Records at the Registrar
When a domain has been configured with DNSSEC, but has not published the correct DS (Delegation Signer) record at the Registrar level, the trust chain is broken between the parent and Child Zone.
Effective March 2026, Certificate Authorities (CAs) will consider this to be a failure of DNSSEC validation. Therefore, CAs will be unable to perform CAA checks or DNS-based DCV queries for that domain, and as such will not issue or renew certificates for that domain.
Expired ZSK/KSK Keys
DNSSEC relies on having active and valid cryptographic keys (as defined by the IETF RFC). Among other keys are the Zone Signing Key (ZSK) and Key Signing Key (KSK). As keys expire and are not properly rotated, the DNS signature becomes invalid.
Therefore, when a CA performs DNSSEC validation, any DNS signature validated using an expired key will fail DNS signature verification.
This ultimately results in the inability of the CA to validate that a domain is valid, effectively preventing the CA from issuing a certificate for that domain.
Broken/Improperly Executed Key Rollovers
DNSSEC key rollovers require the strict execution of procedures to ensure the integrity of an unbroken chain of trust. Failure to execute any step within these procedures could cause a failure of validation when DNS responses are received.
Therefore, once the new requirements outlined above become effective, these mis-executed key rollovers will immediately cause an inability of the CA to renew certificates for that domain.
Unsigned Delegations to Subdomains
This can cause validation errors when validators check Domain Control Validation (DCV) records on subdomains. If a parent zone is signed, but the delegated subdomain is not signed or incorrectly set up, this breaks the security chain.
TTL Mismatches Between RRSIG and Resource Records
DNSSEC signatures (RRSIG records) must be aligned with the corresponding DNS records and their Time-To-Live (TTL) values.
If RRSIGs expire too early or their TTL values are mismatched with the resource records, resolvers may consider this response to be invalid, and it will likely cause the certificate to not successfully validate because of the required DNSSEC validation.
These changes are being made to improve the reliability of the process used to issue certificates by removing the vulnerabilities in the existing DNS-based validation processes.
Although certificate authorities have always had to examine CAA records and do Domain Control Validation (DCV), they have not been required to verify that the DNS response was valid using DNSSEC, thus allowing for DNS spoofing and/or a number of man-in-the-middle attacks.
By requiring that DNSSEC validation be performed when it is available, the CA/Browser Forum believes that this will help mitigate the risk of mis-issuance of certificates due to DNS cache poisoning or intercepted queries.
This update is consistent with ongoing expectations by many of the major browser vendors with respect to security and reinforces an overall industry initiative to defend the WebPKI ecosystem from DNS-based attacks through hardening actions.
Large Businesses and Suppliers of Certificates on High Volumes
Organizations handling large volumes of public TLS or S/MIME certificates (in the hundreds or thousands) are the most adversely impacted, especially those utilizing automated issuance and renewal systems like ACME.
These environments will typically have complex DNS infrastructures, utilize multiple registrars, delegate sub-domains, and manage DNSSEC key management manually.
If DNSSEC is enabled but misconfigured, a minor error could cause problems for large-scale certificate renewals and potentially result in outages across entire applications or regions.
Organizations Using DNSSEC alongside CAA Records
Companies utilizing DNSSEC in conjunction with CAA records are directly affected by the March 2026 enforcement changes. Companies that have properly configured their environments should experience no impact.
Any discrepancies with DS records, expired keys, and broken delegations can cause an inability to successfully complete CAA or DCV validation.
Therefore, organizations using DNSSEC must pay close attention to their DNS hygiene to maintain the currency and continuity of their certificate lifecycles.
Regulated and Security-Sensitive Industries
Industries such as finance, government, healthcare, and telecommunications are likely to deploy DNSSEC as part of a broader effort to secure their information technology systems and comply with federal regulatory requirements.
Given that these industries often depend on stringent uptime requirements for their IT operations and utilize automated certificate management, DNSSEC misconfigurations can introduce operational risk when not actively audited prior to the beginning of enforcement.
Small and medium-sized enterprises
Small and medium-sized enterprises are typically less impacted by this change because there has been a relatively low level of DNSSEC deployment among smaller organizations over the years.
With DNSSEC turned off, the way certificates get issued will not change. However, for smaller organizations using DNSSEC, especially if they do not have dedicated personnel knowledgeable in DNS.
Unexpected certificate issuance issues will likely arise as these organizations are unlikely to have checked their configurations prior to the March 2026 deadline.
How can your Organization Prepare for this New Policy?
Organizations that utilize DNSSEC should take active measures to audit their DNS configurations prior to March 2026 to ensure that everything is properly validated according to more stringent requirements imposed upon Certificate Authorities.
To perform this audit, start with an inventory of all domains that contain CAA records and verify that DNSSEC is enabled for each of those domains.
Verify that the DS records at your registrar match the active DNSKEY records in your DNS zone files; that both your ZSK and KSK are still valid and are not about to expire; and that any recent or future Key Rollovers have been performed correctly.
Run a DNSSEC validation check utilizing tools such as DNSViz or other debugging platforms to validate that the chain of trust is complete.
In addition, proactively monitor any automated processes for renewing your certificates (ACME, etc.) to identify and address any validation failures early so that you can avoid unexpected service disruptions once this policy goes into effect in March 2026.
Conclusion
For organizations using DNSSEC or managing diverse TLS/S-MIME certificates, it is time to audit, test, and improve the overall safety of your architecture.
Certera can assist businesses in staying up-to-date with changes in the industry through reliable certificate solutions, renewal assistance, and professional help.
To successfully secure your domains, work with us to ensure a seamless experience throughout your certificate lifecycle.
Janki Mehta
Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.
*** This is a Security Bloggers Network syndicated blog from EncryptedFence by Certera – Web & Cyber Security Blog authored by Janki Mehta. Read the original post at: https://certera.com/blog/dnssec-validation-for-ssl-certificates-ca-b-forum-ballot-sc-085-changes-in-march-2026/
About Author
