DNSSEC Validation Enforcement for SSL Certificate Issuance - March 2026
Kevin TaylorShare
Starting in March 2026, the way Certificate Authorities (CA) handle Domain Name System Security Extensions (DNSSEC) during SSL Certificate issuance is changing significantly. The CA/Browser Forum has passed Ballot SC-085v2, which requires all publicly trusted Certificate Authorities (CA) to validate Domain Name System Security Extensions (DNSSEC) whenever it is present during Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) record lookups.
This means that if your domain uses Domain Name System Security Extensions (DNSSEC) and it is misconfigured, your SSL Certificate issuance or reissuance could be blocked entirely. Trustico® wants to ensure that all customers understand what this change means, whether it affects them, and what steps they should take to prepare.
This regulatory change is part of a broader industry effort to strengthen Domain Name System (DNS) security within the Public Key Infrastructure (PKI) ecosystem. While Domain Name System Security Extensions (DNSSEC) itself remains entirely optional, the new requirement ensures that Certificate Authorities (CA) can no longer ignore broken or invalid Domain Name System Security Extensions (DNSSEC) configurations when they encounter them.
For most Trustico® customers who do not use Domain Name System Security Extensions (DNSSEC), this change will have no impact whatsoever. However, for those who have enabled Domain Name System Security Extensions (DNSSEC) on their domains, it is essential to verify that configurations are correct before the enforcement date.
What Is Changing and Why It Matters
The CA/Browser Forum is the industry body responsible for setting the standards that govern how SSL Certificates are issued and managed. It has approved Ballot SC-085v2, which introduces a mandatory requirement for Certificate Authorities (CA) to perform Domain Name System Security Extensions (DNSSEC) validation back to the IANA root trust anchor on all Domain Name System (DNS) queries associated with Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) record lookups. The effective date set by the CA/Browser Forum is 15 March 2026.
Sectigo, the Certificate Authority (CA) partner that Trustico® works with to provide SSL Certificates, has announced that they will begin enforcing Domain Name System Security Extensions (DNSSEC) validation on 5 March 2026, slightly ahead of the CA/Browser Forum deadline. Trustico® customers should treat 5 March 2026 as the practical enforcement date for any SSL Certificate issuance or reissuance activity.
Important : This change does not require you to enable Domain Name System Security Extensions (DNSSEC) on your domain. Domain Name System Security Extensions (DNSSEC) remains entirely optional. However, if your domain already has Domain Name System Security Extensions (DNSSEC) enabled, it must validate successfully for SSL Certificate issuance to proceed.
The ballot was proposed by Clint Wilson of Apple and endorsed by representatives from Fastly, HARICA, and Google Chrome. It received overwhelming support from both Certificate Authorities (CA) and browser vendors, with 25 Certificate Authorities (CA) voting in favor and all Certificate Consumer members supporting the measure.
Understanding Domain Name System Security Extensions (DNSSEC)
To appreciate why this change matters, it helps to understand what Domain Name System Security Extensions (DNSSEC) does and how it relates to SSL Certificate issuance. This section explains the technical background and the security concerns that prompted the CA/Browser Forum to act.
How Domain Name System Security Extensions (DNSSEC) Protects Domain Name System (DNS) Responses
Domain Name System Security Extensions (DNSSEC) adds a layer of cryptographic security to the Domain Name System (DNS). It works by allowing domain owners to digitally sign the Domain Name System (DNS) records they publish. When a resolver queries a Domain Name System Security Extensions (DNSSEC)-signed domain, it can verify the authenticity of the response by checking the cryptographic signatures against a chain of trust that extends back to the root zone.
This prevents attackers from tampering with Domain Name System (DNS) responses through techniques such as Domain Name System (DNS) cache poisoning, Domain Name System (DNS) spoofing, and Border Gateway Protocol (BGP) hijacking. Without Domain Name System Security Extensions (DNSSEC), a sufficiently positioned attacker could intercept or manipulate Domain Name System (DNS) queries between a Certificate Authority (CA) and a domain's authoritative name servers, potentially allowing fraudulent SSL Certificate issuance.
Why Certificate Authorities (CA) Must Now Validate Domain Name System Security Extensions (DNSSEC)
Until now, Certificate Authorities (CA) were required to check Certificate Authority Authorization (CAA) records before issuing SSL Certificates - a requirement in place since September 2017. However, there was no requirement to verify the authenticity of those Domain Name System (DNS) responses through Domain Name System Security Extensions (DNSSEC). Even if a domain had Domain Name System Security Extensions (DNSSEC) properly configured, a Certificate Authority (CA) might not validate the signatures.
Ballot SC-085v2 closes this gap. From the enforcement date forward, if a Certificate Authority (CA) encounters Domain Name System Security Extensions (DNSSEC) during a Domain Control Validation (DCV) or Certificate Authority Authorization (CAA) lookup, it must validate the signatures. If validation fails, the Certificate Authority (CA) must not rely on that Domain Name System (DNS) data, and SSL Certificate issuance must fail until the issue is resolved. Learn About The Validation Procedure for SSL Certificates 🔗
Who Is Affected by This Change
The impact of this change depends entirely on whether your domain has Domain Name System Security Extensions (DNSSEC) enabled. Understanding your current configuration is the first step in determining whether any action is required.
Domains Without Domain Name System Security Extensions (DNSSEC)
If your domain does not use Domain Name System Security Extensions (DNSSEC), this change will have no effect on your SSL Certificate issuance or reissuance. When a Certificate Authority (CA) queries a domain that is not signed with Domain Name System Security Extensions (DNSSEC), the response is classified as "insecure" - meaning no Domain Name System Security Extensions (DNSSEC) is configured. The Certificate Authority (CA) will continue to process Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks exactly as it does today.
The vast majority of domains on the internet do not currently use Domain Name System Security Extensions (DNSSEC), so most Trustico® customers will not need to take any action.
Domains With Domain Name System Security Extensions (DNSSEC) Properly Configured
If your domain has Domain Name System Security Extensions (DNSSEC) enabled and it is properly configured with valid signatures and a complete chain of trust, this change is entirely positive. The Certificate Authority (CA) will cryptographically verify your Domain Name System (DNS) responses, providing stronger protection against spoofing and interception attacks. Your SSL Certificate issuance will proceed normally with the added security benefit.
Domains With Misconfigured Domain Name System Security Extensions (DNSSEC)
This is where the change could cause problems. If your domain has Domain Name System Security Extensions (DNSSEC) enabled but it is misconfigured - such as expired signatures, a broken chain of trust, or unsigned child zones - the Certificate Authority (CA) will classify the Domain Name System (DNS) response as "bogus." Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks will fail, and SSL Certificate issuance or reissuance will be blocked until the configuration is corrected.
Warning : If your domain has broken Domain Name System Security Extensions (DNSSEC) configuration and you need to issue or reissue an SSL Certificate after 5 March 2026, the process will fail. You must resolve the Domain Name System Security Extensions (DNSSEC) issue with your Domain Name System (DNS) provider before SSL Certificate issuance can proceed.
Common Domain Name System Security Extensions (DNSSEC) Misconfigurations
Several types of Domain Name System Security Extensions (DNSSEC) misconfigurations can cause validation failures that will block SSL Certificate issuance under the new requirements. Understanding these common issues can help you identify and resolve problems before they affect your operations.
Expired Domain Name System Security Extensions (DNSSEC) Signatures
Domain Name System Security Extensions (DNSSEC) signatures have expiry dates, much like SSL Certificates themselves. If the signatures on your Domain Name System (DNS) records have expired, resolvers performing validation will reject the responses as invalid. This is one of the most common issues and typically occurs when automatic re-signing processes are not functioning correctly.
Broken Chain of Trust
Domain Name System Security Extensions (DNSSEC) relies on a hierarchical chain of trust from the root zone down through each parent zone to your domain. If any link in this chain is broken - such as a missing Delegation Signer (DS) record at the parent zone or a mismatch between the published DS record and the actual zone signing key - the entire validation will fail.
This can happen when domains are transferred between registrars or when Domain Name System (DNS) providers are changed without properly updating the delegation records.
Unsigned Child Zones
A common issue occurs when a parent domain is signed with Domain Name System Security Extensions (DNSSEC) but a child domain or subdomain exists outside the signed zone without its own configuration. This results in a signed domain with unsigned records, which can fail to resolve when validation is enforced. If you use subdomains for your SSL Certificates, verify that the Domain Name System Security Extensions (DNSSEC) configuration covers all relevant zones.
Key Rollover Failures
Domain Name System Security Extensions (DNSSEC) keys need to be periodically rotated for security purposes - a process known as key rollover. If a rollover is initiated but not completed properly, it can leave the zone in an inconsistent state where old keys have been removed but new keys have not been fully propagated.
This is a particularly difficult issue because it may not be immediately apparent and can suddenly cause validation failures when a Certificate Authority (CA) attempts to verify your Domain Name System (DNS) records.
How to Check Your Domain Name System Security Extensions (DNSSEC) Configuration
Before the enforcement date, it is strongly recommended that you verify whether your domain uses Domain Name System Security Extensions (DNSSEC) and confirm that it is properly configured. Several tools are available to help you assess your status.
Available Diagnostic Tools
DNSViz is a widely used visual tool that displays the Domain Name System Security Extensions (DNSSEC) chain graphically, showing green indicators for properly validated zones and red or yellow indicators for problems. You can access it at dnsviz.net by entering your domain name.
Verisign provides a Domain Name System Security Extensions (DNSSEC) Debugger that offers detailed error analysis with specific recommendations for fixing problems. Additionally, the Domain Name System Security Extensions (DNSSEC) Health tool at dnssec.health allows you to validate multiple domains and provides diagnostic information for any that fail.
When using these tools, you are looking for one of three statuses. A "secure" result means validation succeeded and records are properly signed. An "insecure" result means Domain Name System Security Extensions (DNSSEC) is not enabled - this is acceptable and will not cause any issues. A "bogus" result means validation has failed, and this will block SSL Certificate issuance under the new requirements.
Tip : Run a Domain Name System Security Extensions (DNSSEC) check on all domains associated with your Trustico® SSL Certificates before 5 March 2026. If any domain returns a "bogus" status, contact your Domain Name System (DNS) provider to resolve the issue promptly.
What to Do If Domain Name System Security Extensions (DNSSEC) Validation Fails
If you discover that your domain has a failing Domain Name System Security Extensions (DNSSEC) configuration, the resolution will depend on the specific issue identified. In most cases, you will need to work with your Domain Name System (DNS) provider or domain registrar to correct the problem. Common fixes include updating expired signatures, correcting Delegation Signer (DS) records, completing interrupted key rollovers, or properly signing child zones.
If you are unable to resolve the issue and need to issue an SSL Certificate urgently, you may consider temporarily disabling Domain Name System Security Extensions (DNSSEC) on your domain. Removing it entirely will cause the domain to return an "insecure" status, which allows SSL Certificate issuance to proceed normally. However, this should be a temporary measure and Domain Name System Security Extensions (DNSSEC) should be re-enabled as soon as possible.
Impact on SSL Certificate Issuance and Reissuance
This change affects all types of SSL Certificate operations that involve Domain Control Validation (DCV) or Certificate Authority Authorization (CAA) lookups. Understanding the specific scenarios will help you plan accordingly.
New SSL Certificate Issuance
When you purchase a new SSL Certificate from Trustico® and submit it for issuance, the Certificate Authority (CA) must perform Domain Control Validation (DCV) to confirm you control the domain. If your domain has Domain Name System Security Extensions (DNSSEC) enabled, the Certificate Authority (CA) will now validate the signatures during this process. If validation fails, the SSL Certificate cannot be issued until the issue is resolved.
This applies regardless of which Domain Control Validation (DCV) method you choose - whether Approver E-Mail, CNAME validation, or file-based authentication. Explore Domain Validation (DV) SSL Certificates 🔗
SSL Certificate Reissuance
If you need to reissue an existing SSL Certificate - for example due to a change of server or a new Certificate Signing Request (CSR) - the Certificate Authority (CA) will perform fresh Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks. The same Domain Name System Security Extensions (DNSSEC) validation requirements apply to reissuance as they do to initial issuance.
If your Domain Name System Security Extensions (DNSSEC) was working when the SSL Certificate was first issued but has since become misconfigured, the reissuance will fail. Learn About Reissuing Your SSL Certificate 🔗
Existing SSL Certificates
SSL Certificates that have already been issued are not affected by this change. Your existing SSL Certificates will remain valid until their normal expiry date regardless of your Domain Name System Security Extensions (DNSSEC) status. The new validation requirement only applies to new issuance and reissuance operations after the enforcement date.
Certificate Authority Authorization (CAA) Record Lookups
Certificate Authority Authorization (CAA) records allow domain owners to specify which Certificate Authorities (CA) are permitted to issue SSL Certificates for their domain. The Certificate Authority (CA) is required to check these records before every issuance.
Under the new requirements, the Domain Name System (DNS) queries used to retrieve Certificate Authority Authorization (CAA) records must also be subject to Domain Name System Security Extensions (DNSSEC) validation when present. Even if you use Approver E-Mail validation, the Certificate Authority Authorization (CAA) lookup could still fail if your Domain Name System Security Extensions (DNSSEC) is broken.
Automated Certificate Management and Automation Considerations
For customers who use automated SSL Certificate management solutions such as the Automatic Certificate Management Environment (ACME) protocol, this change introduces an additional consideration for operational continuity.
Impact on Automatic Certificate Management Environment (ACME) Renewals and Reissuances
If you use Automatic Certificate Management Environment (ACME) for automated SSL Certificate renewals and reissuances, a broken Domain Name System Security Extensions (DNSSEC) configuration could cause these operations to fail silently. Because they happen automatically without manual intervention, a validation failure could go unnoticed until the existing SSL Certificate expires, potentially causing website downtime.
This makes it especially important for customers using automation to proactively verify their Domain Name System Security Extensions (DNSSEC) configurations. Discover Automatic Certificate Management Environment (ACME) Integration 🔗
Certificate as a Service (CaaS) Customers
Trustico® Certificate as a Service (CaaS) customers who rely on automated SSL Certificate lifecycle management should be particularly attentive to this change. If your domain's Domain Name System Security Extensions (DNSSEC) configuration becomes invalid between renewal and reissuance cycles, the automated process will be unable to complete.
Trustico® recommends establishing a regular schedule for reviewing your Domain Name System Security Extensions (DNSSEC) health as part of your ongoing SSL Certificate management practices. Learn About Certificate as a Service (CaaS) 🔗
The Broader Regulatory Context
This Domain Name System Security Extensions (DNSSEC) enforcement requirement does not exist in isolation. It is part of a series of significant changes to the SSL Certificate industry taking effect throughout 2026 and beyond.
Ballot SC-085v2 and Ballot SMC014
The Domain Name System Security Extensions (DNSSEC) validation requirement for Transport Layer Security (TLS) SSL Certificates was introduced through Ballot SC-085v2, which modifies the TLS Baseline Requirements. A companion ballot, SMC014, introduces identical requirements for S/MIME Certificates to maintain consistency across Certificate types. Both ballots share the same effective date framework and technical requirements.
Reducing SSL Certificate Validity Periods
Alongside the Domain Name System Security Extensions (DNSSEC) changes, the CA/Browser Forum has passed Ballot SC-081v3, which introduces a schedule for reducing SSL Certificate maximum validity periods beginning in March 2026. These changes will progressively shorten the maximum lifetime of SSL Certificates from the current 398 days down to 47 days by March 2029.
This means SSL Certificate renewal and reissuance operations will become more frequent, making it even more important that Domain Name System Security Extensions (DNSSEC) configurations are maintained correctly to avoid repeated issuance failures. Explore SSL Certificate Renewal Information 🔗
Sunsetting Legacy Validation Methods
Ballot SC-090 introduces a gradual sunset of all remaining e-mail-based, phone-based, and crossover Domain Control Validation (DCV) methods. As the industry moves toward Domain Name System (DNS)-based validation, the importance of maintaining correct Domain Name System (DNS) configurations - including Domain Name System Security Extensions (DNSSEC) - will only increase.
Customers who rely on Domain Name System (DNS)-based validation should treat Domain Name System Security Extensions (DNSSEC) management as a critical part of their SSL Certificate lifecycle planning. Learn About File-Based Authentication for SSL Certificates 🔗
Recommended Actions for Trustico® Customers
Taking a few straightforward steps now can help you avoid any disruption to your SSL Certificate operations when the Domain Name System Security Extensions (DNSSEC) enforcement takes effect.
Step One : Determine Whether Your Domain Uses Domain Name System Security Extensions (DNSSEC)
Check whether Domain Name System Security Extensions (DNSSEC) is enabled for any domains associated with your Trustico® SSL Certificates. Use one of the diagnostic tools mentioned earlier such as DNSViz or the Domain Name System Security Extensions (DNSSEC) Health checker. If the result shows "insecure," Domain Name System Security Extensions (DNSSEC) is not enabled and no further action is needed.
Step Two : Validate Your Domain Name System Security Extensions (DNSSEC) Configuration
If your domain does use Domain Name System Security Extensions (DNSSEC), run a full validation check. Look specifically for expired signatures, broken chains of trust, missing Delegation Signer (DS) records, and unsigned child zones. If any issues are identified, contact your Domain Name System (DNS) provider to have them resolved before 5 March 2026.
Step Three : Review Key Rollover Procedures
If your Domain Name System (DNS) provider manages Domain Name System Security Extensions (DNSSEC) key rollovers automatically, verify that the automation is functioning correctly. If you manage key rollovers manually, ensure your procedures are up to date and all current keys are valid.
Step Four : Plan SSL Certificate Operations Accordingly
If you have SSL Certificates due for renewal or reissuance around the enforcement date, consider completing those operations before 5 March 2026 to avoid potential complications. You can check your SSL Certificate status and initiate reissuance through the Trustico® tracking system. Discover The Trustico® Tracking System 🔗
Frequently Asked Questions
This section addresses the most common questions Trustico® customers may have about the Domain Name System Security Extensions (DNSSEC) validation enforcement change.
Do I Need to Enable Domain Name System Security Extensions (DNSSEC) on My Domain
No. Domain Name System Security Extensions (DNSSEC) remains entirely optional. The new requirement only means that if your domain already has Domain Name System Security Extensions (DNSSEC) enabled, it must validate successfully. If you do not use it, no action is required.
Will My Existing SSL Certificates Be Affected
No. SSL Certificates that have already been issued will remain valid until their normal expiry date. The Domain Name System Security Extensions (DNSSEC) validation requirement only applies to new issuance and reissuance operations after the enforcement date.
What Happens If Domain Name System Security Extensions (DNSSEC) Validation Fails
If validation fails during a Domain Control Validation (DCV) or Certificate Authority Authorization (CAA) check, the Certificate Authority (CA) is required to pause SSL Certificate issuance until the issue is resolved. The SSL Certificate will not be issued until the configuration is corrected or Domain Name System Security Extensions (DNSSEC) is removed from the domain entirely.
Can I Disable Domain Name System Security Extensions (DNSSEC) to Avoid Issues
Yes. If your Domain Name System Security Extensions (DNSSEC) is misconfigured and you cannot resolve it quickly, you can disable it on your domain. This will return an "insecure" status, which allows normal SSL Certificate issuance. However, disabling Domain Name System Security Extensions (DNSSEC) removes cryptographic protection for Domain Name System (DNS) responses, so it should only be a temporary measure.
Does This Affect All Validation Methods
The validation applies to all Domain Name System (DNS) queries performed by the Certificate Authority (CA) during issuance. This includes Domain Control Validation (DCV) lookups for Domain Name System (DNS)-based methods as well as Certificate Authority Authorization (CAA) record checks, which are performed for every SSL Certificate issuance regardless of the Domain Control Validation (DCV) method chosen.
Even if you use Approver E-Mail validation, the Certificate Authority Authorization (CAA) lookup could still fail if your Domain Name System Security Extensions (DNSSEC) is broken. Explore E-Mail Address Handling for SSL Certificates 🔗
Conclusion
The enforcement of Domain Name System Security Extensions (DNSSEC) validation during SSL Certificate issuance represents a meaningful improvement in the security of the Public Key Infrastructure (PKI) ecosystem. By ensuring that Certificate Authorities (CA) validate Domain Name System Security Extensions (DNSSEC) when present, the industry is closing a long-standing gap that could have allowed Domain Name System (DNS) spoofing attacks to compromise the issuance process.
While the majority of Trustico® customers will not be affected, those who use Domain Name System Security Extensions (DNSSEC) should verify their configurations before the 5 March 2026 enforcement date. Trustico® remains committed to keeping customers informed about regulatory changes that affect SSL Certificate operations.
If you have questions about your Domain Name System Security Extensions (DNSSEC) configuration or need assistance, you can manage your SSL Certificates through the Trustico® tracking system where you can check order status, initiate reissuance, and update validation settings. Learn About Why Choose Trustico® for Your SSL Certificates 🔗
For further help with SSL Certificate operations, validation, or account management, Trustico® provides a range of resources to assist you. Discover Trustico® Support Resources 🔗
