Cert Authorities Check for DNSSEC From Today

View Markdown Other Articles

Article written by a human: Mike Cardwell

About 14 years ago I set up DNSSEC. I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS.

From today, all Certificate Authorities (CAs) must validate DNSSEC when a domain has it enabled.

So from today, when a CA looks up my CAA record to see if they are allowed to issue a cert for one of my domains, they must validate that the response they received is valid. And during the ACME dance, they have to validate those DNS records too.

I assume that all CA's had implemented this requirement prior to today, if only so they could test it before the deadline was reached. But now it is mandatory, and I expect that any evidence that they are not doing it will be treated harshly.

You might not want to learn about DNSSEC. You probably don't host your own DNS zone. There's a reasonable chance you own your own domain name though if you're here reading this. Why not go find out if your registrar supports DNSSEC for your domains? It might be a one click operation to turn it on...

Support my work:   PayPal   Patreon   Bitcoin Follow my work: RSS   Atom   Mastodon   Bluesky
← Read more