DNSSEC exception in email DCV methods

[Dimitris Zacharopoulos (HARICA)]

Dear Members,

Following-up on the discussions around DNSSEC enforcement [1] [2] for all Domain Validation methods, and with the WG's consensus that the e-mail Domain Validation methods are scheduled to be deprecated with SC090 (currently in voting period), in order to reduce complexity and confusion around the way to enforce DNSSEC checks on MSA, MTA or MUA (see RFC 6409) or all of those email service agents, I would like to propose the following exception to the current language in section 3.2.2.4:

Change the following text:

Effective March 15th, 2026: DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with the validation of domain authorization or control by the Primary Network Perspective.

to

Effective March 15th, 2026: With the exception of Domain Validation methods described in sections 3.2.2.4.4, 3.2.2.4.13, 3.2.2.4.14, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with the validation of domain authorization or control by the Primary Network Perspective.

Are there any members willing to endorse a ballot with this proposal?


Thank you,
Dimitris.

[1]: https://wiki.cabforum.org/books/meetings/page/validation-subcommittee-warsaw-f2f-66-minutes (minutes not yet published)
[2]: https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/g4G7WF6uCHo/m/gX2Ek4S-BAAJ

[Henry Birge-Lee]

Hi Dimitris and all,

As an interested party, I cannot formally endorse this, but I will offer a statement of support for this motion if ballot SC-090 passes.

I see work done in the CA/Browser Forum as a careful balance of improving the long term security of the ecosystem while maximizing stability for subscribers and CAs which reduces the likelihood of mis-issuances which can have a major impact on the availability of web resources. 

Given SC-090 deprecates the methods carved out in this exception, I see this as an appropriate short term measure to minimize the impact to the subscribers and CAs using these methods while the methods are going through the depreciation period. I am of the opinion that the methods exempted in this ballot and deprecated by SC-090 do have a larger attack surface than the remaining methods regardless of whether DNSSEC validation is performed or not. Obviously, the optimal security stance is to perform DNSSEC validation on all DNS queries associated with these methods, particularly since sending emails requires multiple DNS lookups to different domains which should all be secured. However, with the upcoming deprecation of these methods, I think the security benefit achieved by mandating DNSSEC just in the interim is not as significant.

I hold this opinion only under the condition that SC-090 proceeds. In the event these methods continue to be permitted by the Baseline Requirements indefinitely, I would recommend keeping the DNSSEC requirement on these methods to minimize long-term risks to subscribers.

For subscribers that wish to minimize the risk posed by these methods and the lack of DNSSEC validation, I would recommend using CAA records to either specify permitted validation methods, permitted subscriber accounts, or CAs that don't use these methods. Members of the CA/Browser Forum have correctly pointed out that the DNSSEC careout does not apply to CAA record checking, so DNSSEC-protected CAA records can still be used to minimize the attack surface posed by these methods in the interim.

Best,

Henry

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/a74d1491-d401-412d-b407-eb624399c3bd%40harica.gr.

[Roman Fischer]

SwissSign will endorse this ballot.

 

Kind regard

Roman

[Adriano Santoni]

Actalis will endorse this ballot.

--Adriano

Il 17/11/2025 17:57, 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) ha scritto:

External sender. Verify for authenticity before opening any links or attachments.

Dear Members,

Following-up on the discussions around DNSSEC enforcement [1] [2] for all Domain Validation methods, and with the WG's consensus that the e-mail Domain Validation methods are scheduled to be deprecated with SC090 (currently in voting period), in order to reduce complexity and confusion around the way to enforce DNSSEC checks on MSA, MTA or MUA (see RFC 6409 ) or all of those email service agents, I would like to propose the following exception to the current language in section 3.2.2.4:

Change the following text:

Effective March 15th, 2026: DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with the validation of domain authorization or control by the Primary Network Perspective.

to

Effective March 15th, 2026: With the exception of Domain Validation methods described in sections 3.2.2.4.4, 3.2.2.4.13, 3.2.2.4.14, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with the validation of domain authorization or control by the Primary Network Perspective.

Are there any members willing to endorse a ballot with this proposal?


Thank you,
Dimitris.

[1]: https://wiki.cabforum.org/books/meetings/page/validation-subcommittee-warsaw-f2f-66-minutes (minutes not yet published)
[2]: https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/g4G7WF6uCHo/m/gX2Ek4S-BAAJ

[Dimitris Zacharopoulos (HARICA)]

Henry, 

Thank you for sharing your views which are fully aligned with my rationale for this ballot. I will try to prepare an official ballot next week.


Best regards,
Dimitris.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAGxVKU696JPmzQmzB3XfWPFDPFPHm4ZuLnR2K%3Di6Y_z8h77iAg%40mail.gmail.com.

[Aaron Gable]

As discussed in the meeting today, I agree with Henry that this carve-out makes sense. However, I think the proposed phrasing will need some massaging, in order to avoid implying that DNSSEC checking is not required for any CNAME queries used to derive the ADN.

Aaron

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/c4b47ff2-2148-47ac-94cb-ce15e11ceb43%40harica.gr.

[Dimitris Zacharopoulos (HARICA)]

On 11/20/2025 6:56 PM, 'Aaron Gable' via Server Certificate WG (CA/B Forum) wrote:

As discussed in the meeting today, I agree with Henry that this carve-out makes sense. However, I think the proposed phrasing will need some massaging, in order to avoid implying that DNSSEC checking is not required for any CNAME queries used to derive the ADN.

First attempt to address this concern. We can continue this conversation on the PR if you prefer until it becomes stable for a discussion with the larger group.


Best,
Dimitris.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdJ%3DAh-pKOBfTK%3Ddi%3D6cQAqy%3DNAQw9%3D_sY6grF1dVVRgg%40mail.gmail.com.