Question about implementation of DNSSEC checks for E-Mail based Domain Validation

320 views
Skip to first unread message

Roman Fischer

unread,
Aug 19, 2025, 10:43:59 AMAug 19
to server...@groups.cabforum.org

Dear all,

 

The vendor of our CA system has started planning for the implementation of DNSSEC validation of Domain Validation and CAA (SC-085v2).

 

On point came up: We do currently support domain validation method 3.2.2.4.4 Constructed Email to Domain Contact. This is implemented in a way that the CA system has the mail-server configured where it hands off the emails to be sent out.

 

It's now not really clear how to handle this with respect to DNSSEC validation. Is the expectation of the community that the sending mail-server will have to do DNSSEC validation as described in the TLS BR?

 

If so, that would have the side-effect that when such a DNSSEC validation fails, the mail-server currently has no way of signaling this failure back to the CA system. This in turn would mean that the customer would simply not receive the constructed email with the token and the domain validation would remain in a "pending" state.

 

1. What is the community's expectation regarding DNSSEC checks for email-based domain validation methods?

2. How are other CA's implementing this case?

 

Thanks for any feedback and experience sharing!

 

Kind regards
Roman

 

Roman Fischer

Information Security Manager

 

+41 76 310 12 66

roman....@swisssign.com

 

SwissSign AG

Sägereistrasse 25

Postfach

CH-8152 Glattbrugg
swisssign.com

 

Nichts mehr verpassen: Folgen Sie uns auf LinkedIn!

Abonnieren Sie unseren Newsletter oder besuchen Sie unseren Blog.

 

Andrew Chen

unread,
Aug 19, 2025, 12:05:53 PMAug 19
to server...@groups.cabforum.org
Roman,
Assuming you configure your mail server to require DNSSEC validation, failure processing could be implemented by having a unique return-path per message sent, pointing to an inbound parse webhook that can process the bounce.

Andrew

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB01708F040851FCAA255AFC2EFA30A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.

Dimitris Zacharopoulos (HARICA)

unread,
Sep 1, 2025, 4:28:02 AMSep 1
to server...@groups.cabforum.org

During the last WG Teleconference, this topic was briefly discussed. While some members expressed an expectation that DNSSEC should apply to Email Domain Validation methods, the BRs are not so explicit about it. Some amendments may be needed before the effective date of SC085 (March 15, 2026).

It was suggested that this topic is added to the agenda of the next Validation Subcommittee Teleconference.


Thank you,
Dimitris.

--
Dimitris Zacharopoulos
CA/B Forum SCWG Chair

Roman Fischer

unread,
Oct 17, 2025, 7:09:15 AM (yesterday) Oct 17
to server...@groups.cabforum.org

Dear all,

 

Following up on a discussion during the last face-2-face meeting, we are asking the community for feedback on (realistic) threat vectors that could abuse the situation where DNSSEC would not be checked for E-Mail based Domain Control Validation while DNSSEC would be checked for CAA checks.

 

The reason we're looking for such threat vectors is to decide if a temporary exclusion of DNSSEC check for e-mail based DCV would present a risk that is not sufficiently mitigated by doing CAA checks with DNSSEC validation during certificate issuance.

 

Kind regards
Roman

Reply all
Reply to author
Forward
0 new messages