Knowledge Base

Description

On February 24, 2026, DigiCert will start validating Domain Name System Security Extensions (DNSSEC), if present, during domain control validation and DNS Certification Authority Authorization (CAA) checks. This change affects all products that require domain validation and/or CAA checks before certificate issuance:

• Public TLS certificates (DV, OV, and EV)
• X9 PKI for TLS certificate
• EU Qualified Website Authentication Certificate (QWAC)
• EU Qualified Website Authentication Certificate PSD2
• PKIoverheid Private Services Server certificate
• Secure Email (S/MIME) certificates

Our DNS resolvers will validate the signatures associated with your DNSSEC configuration and prevent issuance if the validation fails.

Items covered in this article

• Why is DigiCert doing this?
  • Benefits of DNSSEC
• What do I need to do to prepare for the new CA requirement to validate DNSSEC?
  • Verify DNSSEC configurations before February 24, 2026
• References
• Need help?

Why is DigiCert doing this?

DigiCert will start validating DNSSEC when verifying domain control and performing DNS CAA checks, in alignment with the CA/Browser Forum’s Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups. This ballot requires Certificate Authorities (CAs) to validate DNSSEC, if present, to verify domain control, pass CAA checks, and issue a certificate. Learn more about Ballot SC-085v2. With this ballot, CAs can no longer ignore misconfigured DNSSEC.

Benefits of DNSSEC

As stated in the Purpose of the Ballot, “DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with…If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].”

What do I need to do to prepare for the new CA requirement to validate DNSSEC?

Identify DNSSEC configurations for your certificate domains before February 24, 2026. Then, what you need to do depends on whether you are using DNSSEC for these domains.

• I verified that we aren’t using DNSSEC for the domains in our certificates.
  No action is required.
• I verified that we use DNSSEC or plan to use it for the domains in our certificates.
  If you’ve set up DNSSEC and it’s misconfigured, the DigiCert DNSSEC check may fail during domain control validation, and/or during the CAA check if you have CAA records for your domains. DNSSEC misconfiguration may prevent certificate issuance.

Verify DNSSEC configurations before February 24, 2026

To prevent failed DigiCert DNSSEC validation failures, DigiCert recommends using tools like DNSViz to verify that your DNSSEC is properly configured for domains you plan to use in certificate requests before February 24, 2026:

• https://dnsviz.net/
• https://github.com/dnsviz/dnsviz

When DigiCert starts validating DNSSEC on February 24, be prepared to troubleshoot issues if a broken DNSSEC configuration blocks certificate issuance.

References

• Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups
• Enable DNSSEC to Prevent Security Issues

Need help?

If you have questions or concerns, please contact your account manager or DigiCert Support.