To ensure that the Internet becomes more secure for users to navigate organizations such as the CA/B Forum set standards that enable just that. It helps to make sure that we can safely trust that we communicate and connect with the right person, on the right device exchanging authentic data.
With the release of the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates Version 2.2.2 by CAB Forum on 12th January 2026” CA’s will start to require DNSSEC validation for any domains that have DNSSEC enabled from March 3rd 2026.
This policy is part of the domain control validation and Certificate Authority Authorization (CAA) checks.
If you haven’t enabled DNSSEC, it is advisable that you do that to increase the security of your certificate domains. Note that this is an optional feature and if you choose not to implement it to verify that DNSSEC is not enabled.
If you have enabled DNSSEC, you should check your DNSSEC configuration for all of your certificate domains prior to when DNSSEC validation is enforced which is March 3rd. CA’s have observed errors for those attempting to validate DNSSEC for customer certificate requests.
It is important to verify if DNSSEC is used as manual or automatic renewals of TLS certificates will fail if DNSSEC is improperly implemented or configured.
To check visually and see how DNSSEC status is for your domain you can use this tool:
As this is a third party tool, KeyTalk cannot endorse the information provided on the website.
In short, DNSSEC (Domain Name System Security Extensions) is a set of security extensions to DNS that use digital signatures and cryptographic keys to ensure DNS data is authentic and unaltered. By providing authentication a layer of trust on top of DNS is added.
DNS servers are used to query and match an IP address to a website name. For example, the IP address of keytalk.com is 162.159.134.42. The DNSSEC solves the issue that DNS data is not tampered with that could lead to “cache poisoning” or “DNS spoofing” allowing attackers to redirect people to malicious websites.
DNSSEC enhances the security of the Domain Name System by incorporating cryptographic signatures into DNS records. These digital signatures are managed by DNS name servers alongside conventional record types (e.g., A, AAAA, MX). When a DNS record is requested, its associated cryptographic signature is validated. This process confirms that the data originates from the authoritative name server and has remained unaltered during transit, thereby preventing malicious alterations such as those attempted in man-in-the-middle attacks.
—
Interested to learn more how KeyTalk can help improve and ease your digital certificate management through CLM automation? Reach out to us today. You can contact us by e-mail or through our contact page.
Sources:
