DNSSEC Validation for SSL Certificates: CA/B Forum Ballot SC-085 Changes in March 2026

The CA/Browser Forum’s SC‑085v2 and SMC014 ballots, slated for March 3 2026, add DNSSEC validation to the existing CAA and domain‑control‑validation (DCV) workflow. By requiring CAs to verify cryptographic signatures whenever a domain has DNSSEC enabled, the rule closes a long‑standing gap where a compromised DNS response could still lead to a valid TLS or S/MIME certificate. This aligns certificate issuance with the broader DNS trust chain, reinforcing protection against cache‑poisoning and man‑in‑the‑middle attacks that have plagued the web for years.

The operational impact is immediate for organizations that rely on automated issuance platforms such as ACME or large‑scale certificate management services. A single missing DS record, expired ZSK/KSK, or an improperly executed key rollover will cause the CA to reject both new certificates and renewals, potentially interrupting web services, email encryption, or client authentication. High‑volume enterprises, especially in finance, healthcare, and telecom, often manage thousands of domains across multiple registrars, making DNSSEC misconfigurations a critical point of failure that can cascade through CI/CD pipelines and monitoring tools.

Preparing for the March deadline starts with a comprehensive domain inventory and a systematic DNSSEC health check. Teams should confirm that DS records at registrars match the published DNSKEY set, verify that ZSK and KSK lifetimes are well within rotation windows, and test the full validation chain with tools like DNSViz or dnsviz.net. Integrating these checks into CI pipelines and certificate‑renewal automation provides early warning before a CA rejects a request. As DNSSEC adoption grows, the industry expects tighter coupling between DNS integrity and PKI, making proactive compliance a competitive advantage.