Certificate Authorities (CAs) must now validate DNSSEC configurations when issuing certificates, marking a pivotal shift in domain security protocols. Starting today, CAs are required to verify DNSSEC-enabled domains during the ACME protocol process, ensuring DNS records match cryptographic signatures. This change, enforced globally, closes a critical gap in certificate issuance security by preventing misconfigurations that could enable man-in-the-middle attacks.

The mandate addresses longstanding vulnerabilities where unvalidated DNSSEC records could be exploited to issue fraudulent certificates. By requiring CAs to cross-check DNSSEC compliance during domain validation, the move strengthens trust in the Public Key Infrastructure (PKI). The author, who has used DNSSEC since 2012 with tools like bind9 and PowerDNS, notes this aligns with industry efforts to harden certificate issuance against emerging threats.

This update impacts domain registrars and security tools that manage DNSSEC. For example, registrars must ensure their systems automatically validate DNSSEC during certificate requests. The change also underscores the importance of DNSSEC adoption for organizations prioritizing end-to-end security.

Experts stress that while many CAs already tested DNSSEC validation pre-deadline, the mandatory enforcement ensures universal compliance. As one source states, "This isn't just a technical update—it's a foundational step toward a safer web ecosystem." Domain administrators are urged to audit their DNSSEC setups immediately to avoid certificate issuance disruptions.