Ballot SC-100: DNSSEC Clarification and Consolidation
--- Ballot Background ---
Discussion prior to, and at CA/Browser Forum Face to Face Meeting #67 in Houston, TX revealed that there was some lack of clarity regarding the DNSSEC validation requirements, particularly in the area of Remote Network Perspectives, as well as the fact that the DNSSEC validation requirements being somewhat scattered throughout Section 3.2.2 made it more difficult to pin down than it could be if all in one place.
--- Ballot Summary ---
Move all DNSSEC validation requirements to the new Section 4.2.2.2.
Reorganize the structure somewhat for easier reading and reduction of repetition.
Clarify that DNSSEC validation MAY be performed on Remote Network Perspectives, but is REQUIRED only on the Primary Network Perspective.
This ballot does not currently have an effective date, as the intent is merely to address clarity and there is no intention to modify the existing requirements
This ballot is proposed by Rich Smith (DigiCert) and endorsed by Trev Ponds-White (Amazon) and Scott Rea (eMudhra)
--- Motion Begins ---
Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Server Certificates", based on Version 2.2.8, per the following redline:
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days):
· Start time: 2026-06-30 17:00 UTC
· End time: 2026-07-07 17:00 UTC or later
Vote for approval (7 days):
· Start time: TBD
· End time: TBD
Rich Smith
Sr. Director, Product Technical Excellence
![]()
Caution: This is an external email. Stop, assess and verify. Please take care when clicking links or opening attachments! When in doubt, report it using “report phishing” function. |
Antti,
The language used in 4.2.2.2.7 was pulled directly from existing language in 3.2.2.4.
#1 was included in Ballot SC-085 which instituted the requirement to validate DNSSEC. #2 was added by Ballot SC-096. The only changes I’ve made to the wording of these was to remove, “…back to the IANA DNSSEC root trust anchor…,” because we’re already specifying that DNSSEC validation MUST be in accordance with the algorithm defined in RFC 4035, so that phrase doesn’t add anything, and can in fact cause confusion.
As far as a need for some additional clarity around these two exclusions, I don’t necessarily disagree, but I’m also afraid I don’t have much to offer, as I am not the originator of the exclusions themselves. Perhaps the authors of SC-085 and SC-096 can weigh in. I’m happy to adjust wording as needed to increase the understanding of these provisions, and provided Trev and Scott, as the endorsers of this ballot, agree with the suggestions which may surface.
Rich Smith
Sr. Director, Product Technical Excellence
![]()