Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

Ballot overview

• Ballot SC-085v2 is titled Require Validation of DNSSEC (when present) for CAA and DCV Lookups.
• The ballot proposes changes to the TLS Baseline Requirements so that CAs validate DNSSEC, when present, during CAA record lookups and DCV-related DNS lookups from the Primary Network Perspective.
• The ballot page says the change is expected to have minimal impact on DNS resolvers and that domains using DNSSEC will benefit from improved security.
• The ballot page states that the ballot sets an effective date of March 15, 2026 for these changes.

Voting and adoption

• Voting results on the ballot page show 25 YES votes, 0 NO votes, and 1 ABSTAIN in the Certificate Issuers category.
• Certificate Consumers recorded 4 YES votes, 0 NO votes, and 0 ABSTAIN.
• The bylaws requirements were met for issuer votes, consumer votes, at least one affirmative vote in each category, and quorum.
• The evidence includes no exclusion notices.

Normative changes in the redline

• For domain authorization or control lookups by the Primary Network Perspective, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed starting March 15, 2026.
• The resolver used for those lookups MUST:
  • perform DNSSEC validation using RFC 4035 Section 5
  • support NSEC3 as defined in RFC 5155
  • support SHA-2 as defined in RFC 4509 and RFC 5702
  • properly handle the security concerns in RFC 6840 Section 4
• CAs MUST NOT use local policy to disable DNSSEC validation on DNS queries associated with domain authorization or control validation.
• For CAA record lookups by the Primary Network Perspective, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed starting March 15, 2026.
• For CAA lookups, DNSSEC-validation errors observed by the Primary Network Perspective, such as SERVFAIL, MUST NOT be treated as permission to issue.
• For Remote Network Perspectives used for Multi-Perspective Issuance Corroboration, DNSSEC validation back to the IANA DNSSEC root trust anchor MAY be performed.
• DNSSEC validation back to the IANA DNSSEC root trust anchor is outside the scope of self-audits performed to fulfill Section 8.7.
• The CAA failure condition was revised so that a lookup failure may be treated as permission to issue only if the CA has confirmed the domain is Insecure as defined in RFC 4035 Section 4.3.

IPR review notice

• The review notice states the review period ran from 2025-06-19 19:00:00 UTC to 2025-07-19 19:00:00 UTC.
• The notice says members with Essential Claims must submit an Exclusion Notice before the end of the Review Period.
• The supplied evidence does not show any exclusion notices being filed.