Discussion Period Begins | SC-085: Require DNSSEC for CAA and DCV Lookups

Clint Wilson

unread,

May 22, 2025, 8:00:05 PMMay 22

to server...@groups.cabforum.org

SC-085: Require DNSSEC for CAA and DCV Lookups

Purpose of Ballot

DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with. Where DNSSEC has been adopted by Applicants/Subscribers, it is reasonable to expect those signatures be validated by CAs when performing certain DNS lookups. If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].

This ballot introduces language which ensures CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. This change is expected to have a minimal impact (e.g., load/errors) on the DNS resolvers used at Primary Network Perspectives as shown by the high-volume CAs and large fraction of clients that validate DNSSEC [1][3]. As the adoption rate of DNSSEC by domains seen in TLS certificates is fairly low today, the majority of DNS lookup results will be unaffected while domains that do use DNSSEC will benefit from improved security[1][3].

This ballot sets an effective date of March 15, 2026 for these changes.

[1] https://secure-certificates.princeton.edu/cryptographic-domain-validation.pdf

[2] https://datatracker.ietf.org/doc/html/rfc8657

[3] https://blog.apnic.net/2023/09/18/measuring-the-use-of-dnssec/

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome).

You can view and comment on the Github pull request representing this ballot here.

Special thanks to Henry Birge-Lee for his exemplary efforts on this ballot.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...d32281c8af230d68c5db213cbe43873258d67253

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

Start time: May 23, 2025 00:00 UTC (2025-05-23T00:00:00.000Z)
End time: on or after May 30, 2025 17:00 UTC (2025-05-30T00:00:00.000Z)

Vote for approval (7 days)

Start time: TBD
End time: TBD

Salz, Rich

unread,

May 23, 2025, 9:02:08 AMMay 23

to server...@groups.cabforum.org

SC-085: Require DNSSEC for CAA and DCV Lookups

Compared to the explanatory text in the message, this title is misleading. Perhaps this is better: Require DNSSEC validation when present for CAA and DCV Lookups

Henry Birge-Lee

unread,

May 23, 2025, 10:00:15 AMMay 23

to server...@groups.cabforum.org

Hi Rich Salz and all,

To clarify, the intent of the ballot (which is implemented in the proposed changes) is to require DNSSEC validation on domains and zones that are using DNSSEC. I appologize if brevity in the title leads to any confusion.

Best,

Henry

On Fri, May 23, 2025 at 9:02 AM 'Salz, Rich' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:

SC-085: Require DNSSEC for CAA and DCV Lookups

Compared to the explanatory text in the message, this title is misleading. Perhaps this is better: Require DNSSEC validation when present for CAA and DCV Lookups

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/IA1PR17MB6421A1FD5E10D39D020729E5CD98A%40IA1PR17MB6421.namprd17.prod.outlook.com.

Salz, Rich

unread,

May 23, 2025, 10:28:51 AMMay 23

to server...@groups.cabforum.org

To clarify, the intent of the ballot (which is implemented in the proposed changes) is to require DNSSEC validation on domains and zones that are using DNSSEC. I appologize if brevity in the title leads to any confusion.

Yup, I understand. I strongly suggest you use something like I suggested because it *is* confusing. Imagine if someone posts the agenda without explanation.

On Fri, May 23, 2025 at 9:02 AM 'Salz, Rich' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:

SC-085: Require DNSSEC for CAA and DCV Lookups

Compared to the explanatory text in the message, this title is misleading. Perhaps this is better: Require DNSSEC validation when present for CAA and DCV Lookups

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/IA1PR17MB6421A1FD5E10D39D020729E5CD98A%40IA1PR17MB6421.namprd17.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAGxVKU4w%3D-6AivfA%3DwLY9g8VcRw62EgC_XJBC6nGtT6m4OwhmA%40mail.gmail.com.

Roman Fischer

unread,

May 30, 2025, 7:25:48 AMMay 30

to server...@groups.cabforum.org

Dear Clint,

Can we extend the discussion period for another week?

Thanks
Roman

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/BC869C9E-1DF5-424A-941B-0A3D1262F1C1%40apple.com.

Clint Wilson

unread,

May 30, 2025, 12:55:18 PMMay 30

to server...@groups.cabforum.org

The following updates have been made to SC-085, resulting in SC-085v2. The discussion period will continue as outlined below.

1. The name of the ballot has been changed from “Require DNSSEC for CAA and DCV Lookups” to “Require Validation of DNSSEC (when present) for CAA and DCV Lookups”

2. Section 3.2.2.4 has been updated such that performance of DNSSEC validation is out of scope of self-audits performed in support of meeting the requirements of Section 8.7.

Ballot SC-085v2 has been proposed by Clint Wilson (Apple) and endorsed by Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome).

SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

Purpose of Ballot

DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with. Where DNSSEC has been adopted by Applicants/Subscribers, it is reasonable to expect those signatures be validated by CAs when performing certain DNS lookups. If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].

This ballot introduces language which ensures CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. This change is expected to have a minimal impact (e.g., load/errors) on the DNS resolvers used at Primary Network Perspectives as shown by the high-volume CAs and large fraction of clients that validate DNSSEC [1][3]. As the adoption rate of DNSSEC by domains seen in TLS certificates is fairly low today, the majority of DNS lookup results will be unaffected while domains that do use DNSSEC will benefit from improved security[1][3].

This ballot sets an effective date of March 15, 2026 for these changes.

[1] https://secure-certificates.princeton.edu/cryptographic-domain-validation.pdf

[2] https://datatracker.ietf.org/doc/html/rfc8657

[3] https://blog.apnic.net/2023/09/18/measuring-the-use-of-dnssec/

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome).

You can view and comment on the Github pull request representing this ballot here.

Special thanks to Henry Birge-Lee for his exemplary efforts on this ballot.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...28cb6adac58653a11b724bbedc219ca826e8fb99

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

Start time: May 23, 2025 00:00 UTC (2025-05-23T00:00:00.000Z)

End time: on or after June 06, 2025 17:00 UTC (2025-06-06T17:00:00.000Z)

Vote for approval (7 days)

Start time: TBD
End time: TBD

Clint Wilson

unread,

Jun 10, 2025, 10:14:29 AM (6 days ago) Jun 10

to server...@groups.cabforum.org

I plan to move this ballot into its Voting Period in (approximately) the next day.

Reply all

Reply to author

Forward