Ballot SC-085: Require DNSSEC for CAA and DCV Lookups

Ballot SC-085 proposes mandatory DNSSEC for CAA and DCV lookups to prevent certificate issuance attacks.

Ballot SC-085 suggests that Certificate Authorities (CAs) should require DNSSEC validation for both CAA (Certification Authority Authorization) record lookups and Domain Control Validation (DCV) procedures. If a CA only checks an unsigned DNS record, a malicious attacker (like a BGP hijacker) could trick the CA into issuing a certificate for a domain they don’t own. DNSSEC validation ensures the DNS response is authentic — it must come from the domain’s real owner. 

 

Current Status: Ballot SC-085 is Under IPR Review Period
  • Some CAs (like Let’s Encrypt) optionally perform DNSSEC validation today.

CAB Forum guidelines (which govern public CAs) do not yet require DNSSEC validation for DCV. But there’s growing interest in making it a requirement in the future.


What Is DNSSEC? 

DNSSEC stands for Domain Name System Security Extensions. DNSSEC enables domain owners to digitally sign the information they publish in the Domain Name System (DNS). This helps protect users by ensuring that any corrupted DNS data—whether caused by error or malicious activity—does not reach them.

 

DNSSEC Validation by CAs  

In SSL/TLS Certificate issuance, Certificate Authorities (CAs) must verify that a requester actually controls the domain for which they’re requesting a certificate. This is called Domain Control Validation (DCV). Typically, DCV is performed via email, HTTP file upload, or by checking a DNS TXT record. DNSSEC Validation by CAs involves the idea that when a CA conducts Domain Control Validation (DCV)—particularly using a DNS TXT record—it should also check if the DNS response is secured by DNSSEC and confirm its chain of trust. In other words, rather than simply trusting the DNS response, the CA validates the DNSSEC signatures to ensure the data has not been tampered with. 

Challenges to Mandatory DNSSEC Validation

For DNSSEC to work, registrants must sign their DNS records with DNSSEC, while network operators must enable DNSSEC validation on their resolvers.

  • Not all domains have adopted DNSSEC yet, though adoption is increasing.
  • Resolver complexity: CAs would require reliable, trusted resolvers to validate DNSSEC.
  • Fallback issues: What should happen if DNSSEC validation fails? Should the CA reject the DCV or attempt it again?

 

Next Steps

Ballot SC-085 is still under discussion at the CA/Browser Forum’s Server Certificate Working Group. Given the complexity of integrating DNSSEC validation into existing CA workflows, there have been suggestions to introduce a delayed effective date for SC-085. If passed, DNSSEC validation would become a mandatory part of the Baseline Requirements for publicly trusted TLS certificates.

Source: https://github.com/cabforum/servercert/pull/579

Latest Post

0
    0
    Your Cart
    Your cart is empty

    Trustworthy AI for Better SSL

    TuringSign is actively innovating in cutting-edge AI technology to make traditional SSL workflows quicker, more efficient, more accurate and less costly.

    We apply automation to routine tasks including technical support and high assurance organization validation. This not only saves time but also minimizes errors and ensures faster, more reliable support for TuringSign users. With AI handling routine queries and tasks, your team can focus on more complex issues.

    Compare & Buy

    Automation for Unmatched Speed

    Check mark with hand icon.

    Full Automation

    Fully Automate your SSL Management with ACME

    Analysis analytics column graphic improvement icon.

    Fastest OCSP

    Boost Page Loading Speeds with our Industry-Leading OCSP

    Achievement icon.

    Priority Validation

    Get High-Assurance Certificates Faster than ever

    Compare & Buy

    Best Value Pricing

    Lowest Prices for Best-in-Class Products : Affordability with excellence.

    Standard DV SSL

    DigiCert $64
    Sectigo $99
    GlobalSign $249
    GoDaddy $69
    TuringSign $59

    Wildcard DV SSL

    DigiCert $629
    Sectigo $499
    GlobalSign $849
    GoDaddy $349
    TuringSign $259

    Single OV SSL

    DigiCert $312
    Sectigo $199
    GlobalSign $349
    Entrust $199
    TuringSign $179

    Wildcard OV SSL

    DigiCert $984
    Sectigo $879
    GlobalSign $949
    Entrust $799
    TuringSign $699

    EV SSL

    DigiCert $468
    Sectigo $279
    GlobalSign $599
    GoDaddy $399
    TuringSign $209

    Source: Netcraft SSL Server Survey, August 2024. Provided for reference only. 3rd Party prices may have change.

    Compare & Buy

    Join the Waitlist

    Next Steps

    1. Validate Domain (Authenticate domain depending on which method you choose)

    Check the email that has been sent to you. To confirm the domain ownership rights for your certificate, you need to copy the validation code from the approval email, follow the link in it and paste the validation code into the corresponding field.

    From the email, please click the link to the verification page, Once in the verification page, please enter the code provided in the email for verification.

    That’s it!

    After you have completed verification, a confirmation email will be sent to you. And shortly after, an issue confirmation will be sent to you via email. You can follow the link to the portal to download your newly issued certificate.

    If you have followed the steps above and did not receive an approval email to your mailbox, please click the link to the portal and double check your validation method or contact us for help. 

    Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:

    • 1. Name: Name/Host/Alias/TXT: Blank or @
    • 2. Value/Points to/Destination:”wisekey=XXXXXXX”
    • TTL: This is your TTL (Time-To-Live) value. Set it to 3600 or lower.

    Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record

    Please submit a requestfor support if you face any issues.

    Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.

    The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.



    Verify by uploading the attached file fileauth.txt in your web server as follows:



    • 1. Download the text file fileauth.txt (attached with the email).
    • 2. Upload the above file (fileauth.txt) to your host in this EXACT path: http://my-domain.com/.well-known/pki-validation/fileauth.txt


    You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.

    Please submit a request for support if you face any issues.

    2. Receive Confirmation (After validation an email will be sent with a link to certificate)

    3. Download certificate and upload to hosting

    Notice: After generating a CSR,
    1. Copy the Private KEY and keep this to yourself for reference.
    2. Copy only the CSR above and use(paste)
    in to request your TS Certificate.
    3. Click the top left button to close.

    TuringSign
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.