Beginning March 2026, Certificate Authorities (CAs) must verify DNSSEC signatures during CAA evaluation and Domain Control Validation (DCV) if DNSSEC has been enabled on the domain. This change has been approved by the CA/Browser Forum through the CA/B Forum Ballot SC-085v2 (TLS) and SMC014 (S/MIME). With this change, DigiCert has started validating DNSSEC during theRead More The post DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026 appeared first on EncryptedFence by Certera - Web & Cyber Security Blog.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Starting March 3, 2026, Certificate Authorities must validate DNSSEC signatures during CAA record lookups and DNS-based Domain Control Validation (DCV) if DNSSEC is enabled on a domain, per CA/Browser Forum ballots SC-085v2 and SMC014. Misconfigured DNSSEC—including missing DS records, expired ZSK/KSK keys, broken key rollovers, unsigned subdomain delegations, or RRSIG TTL mismatches—will now block TLS and S/MIME certificate issuance and renewal. Organizations using DNSSEC should audit their DNS configurations, verify DS records match active DNSKEY records, check key validity, and run DNSSEC chain-of-trust validation tools like DNSViz before the deadline.

DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026

How can your Organization Prepare for this New Policy?