- Contact Us
-
choose your language
-
Knowledge Base
DigiCert Validating DNSSEC when Verifying Domain Control and Performing CAA Checks
| Important: This is a dynamic article. DigiCert may update this article if new information becomes available. Save this page and check for updates. The Last Modified date appears under the title of the article. |
Description
On February 24, 2026, DigiCert will start validating Domain Name System Security Extensions (DNSSEC), if present, when verifying domain control and performing DNS Certification Authority Authorization (CAA) checks. This change affects all products that require domain validation and/or CAA checks before certificate issuance:
- Public TLS certificates (DV, OV, and EV)
- X9 PKI for TLS certificate
- EU Qualified Website Authentication Certificate (QWAC)
- EU Qualified Website Authentication Certificate PSD2
- PKIoverheid Private Services Server certificate
- Secure Email (S/MIME) certificates
Our DNS resolvers will validate the signatures associated with your DNSSEC configuration and prevent issuance if the validation fails.
Important: The use of DNSSEC is NOT MANDATORY. You don’t need to configure DNSSEC for DigiCert to issue one of the certificates listed above. This information only applies to those using or planning to use DNSSEC.
Why is DigiCert doing this?
DigiCert will start validating DNSSEC when verifying domain control and performing DNS CAA checks to align with the CA/Browser Forum’s Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups. This ballot requires CAs to validate DNSSEC, if present, for domain control to be verified, for CAA checks to pass, and for a certificate to be issued. Learn more about Ballot SC-085v2. With this ballot, CAs can no longer ignore misconfigured DNSSEC.
Benefits of DNSSEC
As stated in the Purpose of the Ballot, “DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with…If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].”
What do I need to do?
However, if you’ve set up DNSSEC and it’s misconfigured, the DigiCert DNSSEC check may fail during domain control validation, and/or the CAA check may fail if you have CAA records for your domains. DNSSEC misconfiguration may prevent certificate issuance.
DigiCert recommends verifying your DNSSEC is properly configured before February 24, 2026. Be prepared to troubleshoot any problems if a DNSSEC check blocks you from getting your certificate issued once we roll out this change.
References
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2022-2025, DigiCert, Inc. All rights reserved.
Cookie Settings
