[Voting Period] | SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

[Clint Wilson]

SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

Purpose of Ballot

DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with. Where DNSSEC has been adopted by Applicants/Subscribers, it is reasonable to expect those signatures be validated by CAs when performing certain DNS lookups. If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].

This ballot introduces language which ensures CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. This change is expected to have a minimal impact (e.g., load/errors) on the DNS resolvers used at Primary Network Perspectives as shown by the high-volume CAs and large fraction of clients that validate DNSSEC [1][3]. As the adoption rate of DNSSEC by domains seen in TLS certificates is fairly low today, the majority of DNS lookup results will be unaffected while domains that do use DNSSEC will benefit from improved security[1][3].

This ballot sets an effective date of March 15, 2026 for these changes.

[1] https://secure-certificates.princeton.edu/cryptographic-domain-validation.pdf

[2] https://datatracker.ietf.org/doc/html/rfc8657

[3] https://blog.apnic.net/2023/09/18/measuring-the-use-of-dnssec/

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome).

You can view and comment on the Github pull request representing this ballot here.

Special thanks to Henry Birge-Lee for his exemplary efforts on this ballot.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

• https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...28cb6adac58653a11b724bbedc219ca826e8fb99

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

• Start time: May 23, 2025 00:00 UTC (2025-05-23T00:00:00.000Z)
• End time: on or after June 06, 2025 17:00 UTC (2025-06-06T17:00:00.000Z)

Vote for approval (7 days)

• Start time: June 11, 2025 19:00 UTC (2025-06-11T19:00:00.000Z)
• End time: June 18, 2025 19:00 UTC (2025-06-18T19:00:00.000Z)

[Michael Guenther]

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot SC-085v2.

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CC7FD849-3A67-4A72-BC38-B62A15F56C5D%40apple.com.

[Clint Wilson]

Apple votes Yes on SC-085v2.

[Marco Schambach]

IdenTrust votes “Yes” on SC-085v2

 

Marco S.

TrustID Program Manager

--

[Peter Miškovič]

Disig votes „YES“ on ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups.

 

Regards

Peter Miskovic

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: streda 11. júna 2025 20:57
To: server...@groups.cabforum.org

--

[Wayne Thayer]

Fastly votes "yes" on ballot SC-085v2.

- Wayne

--

[Ben Wilson]

Mozilla votes "Yes" for Ballot SC-085v2.

--

[Matsuo Yoshihiko]

JPRS votes YES to Ballot SC-085v2:

Yoshihiko Matsuo(JPRS)

On Wed, 11 Jun 2025 11:57:01 -0700

"'Clint Wilson' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org> wrote:

> SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups
>
> Purpose of Ballot
>
> DNSSEC adds an optional layer of security to DNS by enabling cryptographic validation of DNS resource records, ensuring that they are authentic and haven’t been tampered with. Where DNSSEC has been adopted by Applicants/Subscribers, it is reasonable to expect those signatures be validated by CAs when performing certain DNS lookups. If a domain properly configures DNSSEC, DNSSEC validation can meaningfully reduce the risks associated with DNS spoofing or interception attacks against CAs [1]. Furthermore, DNSSEC validation by CAs provides options for domain owners to achieve provable security of the domain control validation process against network adversaries [1][2].
>
> This ballot introduces language which ensures CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. This change is expected to have a minimal impact (e.g., load/errors) on the DNS resolvers used at Primary Network Perspectives as shown by the high-volume CAs and large fraction of clients that validate DNSSEC [1][3]. As the adoption rate of DNSSEC by domains seen in TLS certificates is fairly low today, the majority of DNS lookup results will be unaffected while domains that do use DNSSEC will benefit from improved security[1][3].
>
> This ballot sets an effective date of March 15, 2026 for these changes.
>
> [1] https://secure-certificates.princeton.edu/cryptographic-domain-validation.pdf
> [2] https://datatracker.ietf.org/doc/html/rfc8657
> [3] https://blog.apnic.net/2023/09/18/measuring-the-use-of-dnssec/
>
> Motion
>
> The following motion has been proposed by Clint Wilson (Apple) and endorsed by Wayne Thayer (Fastly), Dimitris Zacharopoulos (HARICA), and Ryan Dickson (Chrome).
>

> You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/579/files>.

>
> Special thanks to Henry Birge-Lee for his exemplary efforts on this ballot.
>
> Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:
>
> https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...28cb6adac58653a11b724bbedc219ca826e8fb99
> Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
>
> Discussion (at least 7 days)
>
> Start time: May 23, 2025 00:00 UTC (2025-05-23T00:00:00.000Z)
> End time: on or after June 06, 2025 17:00 UTC (2025-06-06T17:00:00.000Z)
> Vote for approval (7 days)
>
> Start time: June 11, 2025 19:00 UTC (2025-06-11T19:00:00.000Z)
> End time: June 18, 2025 19:00 UTC (2025-06-18T19:00:00.000Z)
>

[蔡家宏(chtsai)]

TWCA votes Yes on Ballot SC-085v2.

 

 

Best Regards

 

蔡家宏 Chya-Hung Tsai

Director

Identification & Certificate Research
Tel: +886-2-2370-8886 ext. 722
Fax: +886-2-2388-6720
Email: cht...@twca.com.tw

10F., No. 85, Yanping South Road,

Taipei 100002, Taiwan(R.O.C.)
https://www.twca.com.tw

 

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Thursday, June 12, 2025 2:57 AM
To: server...@groups.cabforum.org

--

[大野 文彰]

SECOM Trust Systems votes YES on Ballot SC-085v2.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Thursday, June 12, 2025 3:57 AM
To: server...@groups.cabforum.org

--

[Alvin Wang]

SHECA votes "Yes" for Ballot SC-085v2.

[Doug Beattie]

GlobalSign votes Yes on SC-085v2

 

Doug

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Wednesday, June 11, 2025 2:57 PM

--

[Scott Rea]

eMudhra votes YES on Ballot SC-085v2

Regards,

-Scott 

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/6e643d79-7275-49c9-a384-011ccbc186dfn%40groups.cabforum.org.

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

[Pedro FUENTES]

OISTE Votes Yes to SC-085v2

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> 

Sent: Wednesday, June 11, 2025 8:57 PM
To: server...@groups.cabforum.org

-- 
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CC7FD849-3A67-4A72-BC38-B62A15F56C5D%40apple.com.

WISeKey SA

Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790

Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland

Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

[Kateryna Aleksieieva]

Certum votes YES on Ballot SC-085v2

 

Kind regards,
Kateryna Aleksieieva

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Wednesday, June 11, 2025 8:57 PM
To: server...@groups.cabforum.org

--

[Bruce Morton]

Entrust abstains for ballot SC-085v2.

 

 

Bruce.

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Wednesday, June 11, 2025 2:57 PM
To: server...@groups.cabforum.org

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CC7FD849-3A67-4A72-BC38-B62A15F56C5D%40apple.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Rollin.Yu]

TrustAsia votes YES on ballot SC-085v2.

Best regards,
Rollin Yu

[sde...@godaddy.com]

GoDaddy votes Yes on Ballot SC-085v2.

 

Regards,

Steven Deitte

 

--

[Hogeun Yoo]

NAVER Cloud Trust Services votes YES on Ballot SC-085v2.

Best regards,

Hogeun Yoo

-----Original Message-----
From: "'Clint Wilson' via Server Certificate WG (CA/B Forum)"<server...@groups.cabforum.org>

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CC7FD849-3A67-4A72-BC38-B62A15F56C5D%40apple.com.

[qi_ji...@itrus.com.cn]

iTrusChina votes YES on Ballot SC-085v2.

Regards,

Qi Jianxin

---

qi_ji...@itrus.com.cn

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum)

--

[CHASSERY Francois]

 

Certinomis votes YES on ballot SC-085v2

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/9DFCC299-CA33-45FE-B3D6-EF5ADF2C6103%40apple.com.

[Entschew, Enrico]

D-Trust votes „Yes“ on Ballot SC-085v2.

 

Thanks,

Enrico

--

[Backman, Antti]

Telia votes ’Yes’ on Ballot SC-085v2

 

//Antti

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Date: Wednesday, 11. June 2025 at 21.57
To: server...@groups.cabforum.org <server...@groups.cabforum.org>

--

[Josselin ALLEMANDOU]

 

CERTIGNA votes YES on Ballot SC-085v2

 

 

 

 

De : 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Envoyé : mercredi 11 juin 2025 20:57
À : server...@groups.cabforum.org
Objet : [Servercert-wg] [Voting Period] | SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

--

[陳立群]

Chunghwa Telecom Votes Yes on Ballot SC-085v2.

 

Sincerely Yours,

 

                  Li-Chun Chen

                 Chunghwa Telecom  

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/MM0P280MB00075D3A8EF93EDA3A8C63C28673A%40MM0P280MB0007.SWEP280.PROD.OUTLOOK.COM.

[Mads Egil Henriksveen]

Buypass votes YES on ballot SC-085v2.

 

Regards

Mads

[Tim Hollebeek]

DigiCert votes YES on SC-085v2

 

-Tim

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Wednesday, June 11, 2025 2:57 PM
To: server...@groups.cabforum.org

[Janet Hines]

VikingCloud votes YES on SC-085v2

Regards,
Janet Hines

 

From: 'Clint Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Wednesday, June 11, 2025 at 2:57 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] [Voting Period] | SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

---

Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..