Question about implementation of DNSSEC checks for E-Mail based Domain Validation

650 views
Skip to first unread message

Roman Fischer

unread,
Aug 19, 2025, 10:43:59 AMAug 19
to server...@groups.cabforum.org

Dear all,

 

The vendor of our CA system has started planning for the implementation of DNSSEC validation of Domain Validation and CAA (SC-085v2).

 

On point came up: We do currently support domain validation method 3.2.2.4.4 Constructed Email to Domain Contact. This is implemented in a way that the CA system has the mail-server configured where it hands off the emails to be sent out.

 

It's now not really clear how to handle this with respect to DNSSEC validation. Is the expectation of the community that the sending mail-server will have to do DNSSEC validation as described in the TLS BR?

 

If so, that would have the side-effect that when such a DNSSEC validation fails, the mail-server currently has no way of signaling this failure back to the CA system. This in turn would mean that the customer would simply not receive the constructed email with the token and the domain validation would remain in a "pending" state.

 

1. What is the community's expectation regarding DNSSEC checks for email-based domain validation methods?

2. How are other CA's implementing this case?

 

Thanks for any feedback and experience sharing!

 

Kind regards
Roman

 

Roman Fischer

Information Security Manager

 

+41 76 310 12 66

roman....@swisssign.com

 

SwissSign AG

Sägereistrasse 25

Postfach

CH-8152 Glattbrugg
swisssign.com

 

Nichts mehr verpassen: Folgen Sie uns auf LinkedIn!

Abonnieren Sie unseren Newsletter oder besuchen Sie unseren Blog.

 

Andrew Chen

unread,
Aug 19, 2025, 12:05:53 PMAug 19
to server...@groups.cabforum.org
Roman,
Assuming you configure your mail server to require DNSSEC validation, failure processing could be implemented by having a unique return-path per message sent, pointing to an inbound parse webhook that can process the bounce.

Andrew

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB01708F040851FCAA255AFC2EFA30A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.

Dimitris Zacharopoulos (HARICA)

unread,
Sep 1, 2025, 4:28:02 AMSep 1
to server...@groups.cabforum.org

During the last WG Teleconference, this topic was briefly discussed. While some members expressed an expectation that DNSSEC should apply to Email Domain Validation methods, the BRs are not so explicit about it. Some amendments may be needed before the effective date of SC085 (March 15, 2026).

It was suggested that this topic is added to the agenda of the next Validation Subcommittee Teleconference.


Thank you,
Dimitris.

--
Dimitris Zacharopoulos
CA/B Forum SCWG Chair

Roman Fischer

unread,
Oct 17, 2025, 7:09:15 AMOct 17
to server...@groups.cabforum.org

Dear all,

 

Following up on a discussion during the last face-2-face meeting, we are asking the community for feedback on (realistic) threat vectors that could abuse the situation where DNSSEC would not be checked for E-Mail based Domain Control Validation while DNSSEC would be checked for CAA checks.

 

The reason we're looking for such threat vectors is to decide if a temporary exclusion of DNSSEC check for e-mail based DCV would present a risk that is not sufficiently mitigated by doing CAA checks with DNSSEC validation during certificate issuance.

 

Kind regards
Roman

Martijn Katerbarg

unread,
Oct 23, 2025, 5:12:37 AM (9 days ago) Oct 23
to server...@groups.cabforum.org
Hi Roman,

While I expect everyone on this list to be aware of the fact, I think it’s good to reiterate the difference between DCV and CAA:

  • DCV needs to be perform to specifically prove control over a domain name, and with that, allow the CA to issue a certificate for said domain, to a specific Applicant. In a broad sense, this is a whitelist mechanism, a very narrowly scoped one.
  • CAA on the other hand, is essentially the exact opposite. In the first place, it’s a blacklisting mechanism. If no record exists, every CA is allowed to issue, for any Applicant (not taking DCV into account). As soon as a single record does exist, it sort of turns into a whitelist, but then still, it turns into a whitelist for which CA is allowed to issue, not which CA for which subscriber (That is, until https://github.com/cabforum/servercert/pull/567 is a thing).

To this, we should add the fact that E-mail based DCV currently doesn’t require MPIC to be performed. 

It seems to me like Email based DCV is one of our weakest links at the moment. The method is open to BGP hijacks, something which, depending on where in the chain it is performed, could allow for the CA to be returned falsified record sets. Blocking the processing of invalidly signed DNSSEC records, for organizations that want to rely on DNSSEC, would at least mitigate those cases.

With CAA records still not very widely adopted, and when it is adopted, limits issuance at the CA level, not Subscriber level, I do not believe this poses as a valid mitigating mechanism.

Regards,

Martijn


From: 'Roman Fischer' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Friday, 17 October 2025 at 13:09
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] RE: Question about implementation of DNSSEC checks for E-Mail based Domain Validation

This Message Is From an External Sender
This message came from outside your organization.
 
--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

Dimitris Zacharopoulos

unread,
Oct 23, 2025, 6:08:47 AM (9 days ago) Oct 23
to 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum)
Hi Martijn,

If the Domain Owner's zone is DNSSEC-enabled, and there is some error in the DNS responses, even for the CAA negative existence query (NSEC3), the CA is not allowed to issue. So, in the specific cases where the zone is DNSSEC-enabled and the CA gets an invalid response, whether it is for a CAA query or a DCV, the CA is not allowed to issue.

That's why I believe DNS MX queries, for those secure zones, are not so necessary, especially when there is a plan to deprecate them.

Thanks,

DZ.

Oct 23, 2025 12:12:43 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:

Martijn Katerbarg

unread,
Oct 23, 2025, 6:22:25 AM (9 days ago) Oct 23
to server...@groups.cabforum.org
Hi Dimitris,

A good point. But that relies on the DCV and CAA being done very close to each other, time wise, which may not be the case. 

A DCV could be done in, say, May. The CA sees a valid DCV and is allowed to store it for re-use, but halts issuance due to CAA DNSSEC issues. But then, the DNS spoofing attack is over after a few days. The attacker asks the CA to retry issuance. The CA would be fully in its right to only retry CAA, and poof, the certificate gets issued.

Regards,

Martijn

Dimitris Zacharopoulos

unread,
Oct 23, 2025, 12:18:59 PM (9 days ago) Oct 23
to 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum)
Thanks Martijn, let me try to describe the threat in my own words to make sure I understood. During the DCV phase, the attacker sends an unsigned fake DNS response about the MX record associated with a Domain Name (example.com), the CA does not check DNSSEC errors and sends the challenge to the inbox of -say- admini...@example.com which ends up to the mail server of the attacker and completes the DCV.

Then the attacker stops the DNS attack and sends a request to issue the certificate, in which case the CA will query the real DNSSEC-signed zone, verify there is no CAA record (or a CAA that allows issuance) and issues the certificate. Is that a fair description of the threat scenario?

If this is a correct description, I would like to ask Henry who's tested equally-specific prefix BGP attacks before (or anyone else with similar experience), how likely and easy it is for such a threat to be executed considering the fact that the fake mail server must be up for some time in order to receive the challenge email.


Thanks,

DZ.

Oct 23, 2025 13:22:31 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:

Michael Richardson

unread,
Oct 23, 2025, 2:57:04 PM (9 days ago) Oct 23
to server...@groups.cabforum.org

'Dimitris Zacharopoulos' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:
> Thanks Martijn, let me try to describe the threat in my own words to
> make sure I understood. During the DCV phase, the attacker sends an
> unsigned fake DNS response about the MX record associated with a Domain
> Name (example.com), the CA does not check DNSSEC errors and sends the
> challenge to the inbox of -say- admini...@example.com which ends up
> to the mail server of the attacker and completes the DCV.

Yes. So it seems like if there is DNSSEC, then it needs to be validated.
Seems like an own goal by the CA, as example.com did the right thing with DNSSEC.

> Then the attacker stops the DNS attack and sends a request to issue the
> certificate, in which case the CA will query the real DNSSEC-signed
> zone, verify there is no CAA record (or a CAA that allows issuance) and
> issues the certificate. Is that a fair description of the threat
> scenario?

> If this is a correct description, I would like to ask Henry who's
> tested equally-specific prefix BGP attacks before (or anyone else with
> similar experience), how likely and easy it is for such a threat to be
> executed considering the fact that the fake mail server must be up for
> some time in order to receive the challenge email.

I don't know why you need a BGP attack.
The mail server can be at fubar.attacker.example, and it can just remain live
for as long as they like. I'm not sure if mailenator.com will accept all
email, or just mail to @mailenator.com, but if it accepts anything, then one
could just use that.

signature.asc

Dimitris Zacharopoulos (HARICA)

unread,
Oct 24, 2025, 2:57:47 AM (8 days ago) Oct 24
to server...@groups.cabforum.org
I originally thought one would need to perform a BGP attack to hijack
the IP address of the official mail server but you're right, if the
attacker can spoof the DNS it can change the MX record value to anything
under the attacker's control.

So, assuming the CA performs the DCV process far apart from the
certificate issuance (when it checks CAA), this method does not protect
domain owners as well as the other methods.

I guess from this point on, the big question is if the WG considers this
risk acceptable in light of the deprecation of email/phone methods, and
allow these methods to continue without DNSSEC validation, or not.

Dimitris.

Martijn Katerbarg

unread,
Oct 24, 2025, 3:09:19 AM (8 days ago) Oct 24
to server...@groups.cabforum.org
Hi Dimitris,

>Is that a fair description of the threat scenario?
Indeed it is!

>I guess from this point on, the big question is if the WG considers this risk acceptable in light of the deprecation of email/phone methods, and allow these methods to continue without DNSSEC validation, or not.



Agreed. I think you know my opinion 😉.








I would add that a CA not wanting to do DNSSEC for email methods, might need to introduce more complexity into their systems. I would assume most CAs use 1 pair of DNS resolvers,
 managed by themselves, for any DCV related activities. If DNSSEC checking is enforced on that resolver, then for any CA to not do DNSSEC for email, they would need to setup an additional pair or resolvers. This increases the risk for misconfigurations and
 a CA might suddenly find themselves in a spot where they’ve used the wrong one for the wrong method.








Regards,









Martijn













From: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Date: Friday, 24 October 2025 at 08:57

To: server...@groups.cabforum.org <server...@groups.cabforum.org>

Subject: Re: [Servercert-wg] Re: Question about implementation of DNSSEC checks for E-Mail based Domain Validation











This Message Is From an External Sender



This message came from outside your organization.





 




On 10/23/2025 9:56 PM, Michael Richardson wrote:
> 'Dimitris Zacharopoulos' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:
>      > Thanks Martijn, let me try to describe the threat in my own words to
>      > make sure I understood. During the DCV phase, the attacker sends an
>      > unsigned fake DNS response about the MX record associated with a Domain
>      > Name (example.com), the CA does not check DNSSEC errors and sends the
>      > challenge to the inbox of -say- admini...@example.com which ends up
>      > to the mail server of the attacker and completes the DCV.
>
> Yes.  So it seems like if there is DNSSEC, then it needs to be validated.
> Seems like an own goal by the CA, as example.com did the right thing with DNSSEC.
>
>      > Then the attacker stops the DNS attack and sends a request to issue the
>      > certificate, in which case the CA will query the real DNSSEC-signed
>      > zone, verify there is no CAA record (or a CAA that allows issuance) and
>      > issues the certificate. Is that a fair description of the threat
>      > scenario?
>
>      > If this is a correct description, I would like to ask Henry who's
>      > tested equally-specific prefix BGP attacks before (or anyone else with
>      > similar experience), how likely and easy it is for such a threat to be
>      > executed considering the fact that the fake mail server must be up for
>      > some time in order to receive the challenge email.
>
> I don't know why you need a BGP attack.
> The mail server can be at fubar.attacker.example, and it can just remain live
> for as long as they like.  I'm not sure if mailenator.com will accept all
> email, or just mail to @mailenator.com, but if it accepts anything, then one
> could just use that.

I originally thought one would need to perform a BGP attack to hijack 
the IP address of the official mail server but you're right, if the 
attacker can spoof the DNS it can change the MX record value to anything 
under the attacker's control.

So, assuming the CA performs the DCV process far apart from the 
certificate issuance (when it checks CAA), this method does not protect 
domain owners as well as the other methods.

I guess from this point on, the big question is if the WG considers this 
risk acceptable in light of the deprecation of email/phone methods, and 
allow these methods to continue without DNSSEC validation, or not.

Dimitris.

-- 
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://urldefense.com/v3/__https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/0c434c43-22cd-4e0d-8848-a854d237392f*40harica.gr__;JQ!!J5K_pWsD!3_YHRDKMRVzPFnfjQEFPTjSsZYh1olCrg2qzYMSOBtMqMTWAHEKDJkCoV6eY9y-D8le7ZNhpS8389mkEkop-T_HdnFvHcHk4QhosTHE$.








Roman Fischer
unread,
Oct 24, 2025, 3:20:07 AM (8 days ago) Oct 24
to server...@groups.cabforum.org











Hi Martijn,


 


Just regarding the multiple DNS resolvers thing: At least in our environment we already use two resolvers. One is built-in to the CA system and the other is used
 for everything else, including outbound e-mail. My guess is that some CAs may even have (or want to) offload the e-mail sending to a cloud service which would also use a separate DNS resolver.


 


Rgds

Roman



Martijn Katerbarg
unread,
Oct 24, 2025, 3:36:55 AM (8 days ago) Oct 24
to server...@groups.cabforum.org


>My guess is that some CAs may even have
 (or want to) offload the e-mail sending to a cloud service which would also use a separate DNS resolver.









Consider though that there’s two types of email sendings that a CA may do. 1 is, regular emails (invoices, notifications, support, etc etc). All that is fine in cloud.









Then there’s DCV email sending. Using a cloud service for that, and also a cloud DNS resolver for that, would mean the CA is utilizing a Delegated Third Party for DCV, if the mail server and resolver are
not controlled by the CA









Regards,









Martijn











Roman Fischer
unread,
Oct 24, 2025, 4:09:44 AM (8 days ago) Oct 24
to server...@groups.cabforum.org











Yes, I'm aware of the Delegated Third Party issue.
👍 Just brought it up because of the recent discussions about possible usage of cloud
 services. 😉


 


-Roman



Dimitris Zacharopoulos (HARICA)
unread,
Oct 27, 2025, 3:50:40 AM (5 days ago) Oct 27
to server...@groups.cabforum.org

    

    

    
On 10/24/2025 10:09 AM, 'Martijn
      Katerbarg' via Server Certificate WG (CA/B Forum) wrote:

    

    

      
      

        Hi Dimitris,

      

        

      

      
>Is
          that a fair description of the threat scenario?

      
Indeed it is!


>I guess from this point on, the big question is if the WG considers this risk acceptable in light of the deprecation of email/phone methods, and allow these methods to continue without DNSSEC validation, or not.

      

        Agreed. I think you know my opinion 😉.

      

        

      

      
I would add that
        a CA not wanting to do DNSSEC for
          email methods, might need to introduce more complexity into
          their systems. I would assume most CAs use 1 pair of DNS
          resolvers, managed by themselves, for any DCV related
          activities. If DNSSEC checking is enforced on that resolver,
          then for any CA to not do DNSSEC for email, they would need to
          setup an additional pair or resolvers. This increases the risk
          for misconfigurations and a CA might suddenly find themselves
          in a spot where they’ve used the wrong one for the wrong
          method.

    

    

    Martijn, I don't think it's that simple, as discussed at the recent
    validation calls. Although some CAs use local resolvers to directly
    contact authoritative name servers to perform DNS and HTTP queries,
    there are a number of CAs relying on external mail service providers
    (I recall the names of SendGrid, Azure and AWS mail providers coming
    up in those discussions). I'm not sure the group concluded that
    those third-party mail providers are considered DTPs. In a similar
    manner we discussed about mail validation methods relying on regular
    postal mail, SMS providers, etc. Taking your interpretation about
    third-party mail providers, leads me to assume that using telephone
    or third-party SMS providers as part of the DCV process could also
    be considered DTPs.

    

    

    Thanks,

    Dimitris.

    

    



Martijn Katerbarg
unread,
Oct 27, 2025, 5:19:13 PM (4 days ago) Oct 27
to server...@groups.cabforum.org








Fair.  I do believe this was discussed in the past, not sure if conclusions were drawn though. 









It’s where you place the line, absolutely, but if you’re placing the line before email servers, then others might draw the line before DNS servers. In my personal opinion, both those lines are incorrect. 









(Perhaps this is the reason many CAs don’t offer these methods)











Reply all
Reply to author
Forward
0 new messages