Skip to content
Tech News
← Back to articles

Cert Authorities Check for DNSSEC from Today

2026-03-15 | original
read original get DNSSEC Validation Tool → more articles
Why This Matters

The mandatory validation of DNSSEC by Certificate Authorities enhances the security and integrity of digital certificates, reducing risks of domain hijacking and man-in-the-middle attacks. This change signifies a step forward in strengthening the trustworthiness of online communications for both the tech industry and consumers. Ensuring DNSSEC is enabled can help protect users and organizations from malicious activities related to domain validation.

Key Takeaways

Cert Authorities Check for DNSSEC From Today Published 1 day ago · View Markdown · Other Articles Article written by a human: Mike Cardwell

About 14 years ago I set up DNSSEC. I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS.

From today, all Certificate Authorities (CAs) must validate DNSSEC when a domain has it enabled.

So from today, when a CA looks up my CAA record to see if they are allowed to issue a cert for one of my domains, they must validate that the response they received is valid. And during the ACME dance, they have to validate those DNS records too.

I assume that all CA's had implemented this requirement prior to today, if only so they could test it before the deadline was reached. But now it is mandatory, and I expect that any evidence that they are not doing it will be treated harshly.

You might not want to learn about DNSSEC. You probably don't host your own DNS zone. There's a reasonable chance you own your own domain name though if you're here reading this. Why not go find out if your registrar supports DNSSEC for your domains? It might be a one click operation to turn it on...

Explore topics: cert authorities dnssec bind9 powerdns
Related:
Passing the Torch – My Last Root DNSSEC KSK Ceremony as Crypto Officer 4

© 2026 GoKawiil

About | Editorial Policy | Contact