SC-091 passed

Ballot SC-091: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses

Server Certificate Working Group

Key dates

Effective date: 15 Mar 2027 8 months from now
Voting opened: 05 Nov 2025 7 months ago
Voting closed: 12 Nov 2025 7 months ago
IPR review ends: 14 Dec 2025 6 months ago
Discussion opened: 23 Oct 2025 8 months ago
Discussion closed: 04 Nov 2025 7 months ago

Resources

⎇ GitHub diff https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81..052a3f50923386a1a1f61e3d0da8121140e55537 https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81..052a3f50923386a1a1f61e3d0da8121140e55537

± Redline https://cabforum.org/2025/11/12/ballot-sc-091-sunset-3.2.2.5.3-reverse-address-lookup-validation-proposal-of-new-dns-based-validation-using-persistent-dcv-txt-record-for-ip-addresses/BR-SC091-redline.pdf TBR-SC91-redlined.pdf

⤓ Document https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf

⤓ Document https://cabforum.org/2025/11/12/ballot-sc-091-sunset-3.2.2.5.3-reverse-address-lookup-validation-proposal-of-new-dns-based-validation-using-persistent-dcv-txt-record-for-ip-addresses/BR-SC091.pdf TBR-SC91.pdf

Affected document sections

TLS BR § 1.2.2 Adds a relevant date entry for 2027-03-15 stating that CAs must not rely on Method 3.2.2.5.3 to issue Subscriber Certificates. TLS BR § 1.6.1 Adds the definition of Reverse Zone Domain Name. TLS BR § 3.2.2.5.3 Sunsets Reverse Address Lookup by stating that effective 2027-03-15 the CA must not rely on this method and prior validations and validation data from it must not be used to issue Subscriber Certificates. TLS BR § 3.2.2.5.8 Creates a new IP address validation method using a Persistent DCV TXT Record placed at the _ip-validation-persist label under the Reverse Zone Domain Name.

Related ballots

AI Summary

Generated 2026-06-23 21:12 UTC

Outcome

SC-091 received 24 YES, 0 NO, and 0 ABSTAIN votes from Certificate Issuers, and 2 YES, 0 NO, and 0 ABSTAIN votes from Certificate Consumers.
The ballot page states that all adoption requirements in Bylaw 2.3(6) were met and quorum under Bylaw 2.3(7) was met.
The ballot page includes a 30-day IPR review period running from 2025-11-14 to 2025-12-14.
The supplied evidence does not state that any exclusion notice was filed.

What the ballot does

Modifies the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates, based on Version 2.7.1 as stated on the ballot page.
Sunsets Section 3.2.2.5.3 Reverse Address Lookup.
Introduces Section 3.2.2.5.8 DNS TXT Record with Persistent Value in the Reverse Namespace as a replacement validation method for IP addresses.
Adds a definition for Reverse Zone Domain Name.
Adds a relevant date entry stating that on 2027-03-15 CAs must not rely on Method 3.2.2.5.3 to issue Subscriber Certificates.
Adds text to Section 3.2.2.5.3 stating that effective 2027-03-15 the CA must not rely on this method and prior validations and validation data gathered using this method must not be used to issue Subscriber Certificates.
Adds Section 3.2.2.5.8 describing validation of an IP address by converting the IP address to a Reverse Zone Domain Name and verifying a Persistent DCV TXT Record at the _ip-validation-persist label prepended to that reverse zone name.

Stated rationale

The ballot says Reverse Address Lookup has been recognized as insecure because it relies on PTR records and indirect validation of domains instead of IP addresses.
The ballot says stale PTR records and crossover risk are primary security concerns with the existing method.
The ballot says the new method limits validation to direct DNS TXT queries in the .arpa zone associated with an IP address and requires an account-bound credential in the TXT record.
The ballot says the new method is intended to provide a more direct proof of control over the IP address-associated reverse namespace and reduce the attack surface.

Compliance timing

The ballot lists implementation of Section 3.2.2.5.8 as effective immediately.
The ballot lists sunset of Method 3.2.2.5.3 as effective 2027-03-15.
The redline states that effective 2027-03-15 the CA must not rely on Section 3.2.2.5.3 and must not use prior validations or validation data gathered under that method to issue Subscriber Certificates.

Model: gpt-5.4 Revised: 2026-06-24 10:11 UTC Confidence: 0.82 Result: passed

Effective date: 2027-03-15
Voting opened: 2025-11-05
Voting closed: 2025-11-12
IPR review ends: 2025-12-14
Discussion opened: 2025-10-23
Discussion closed: 2025-11-04

Applicability and conditions

2027-03-15 — CAs must not rely on Method 3.2.2.5.3, and prior validations and validation data gathered using that method must not be used to issue Subscriber Certificates. Applies to use of Section 3.2.2.5.3 Reverse Address Lookup for issuing Subscriber Certificates

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 24 yes 0 no 0 abstain

Certificate Consumers 2 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

26 Yes

0 No

0 Abstain

100% yes · 0% no

Proposers

SC-90). This represents a broader attack surface compared to 3.2.2.5.22, which consists purely of DNS. Compromise of any of the 3.2.2.4 methods could allow an attacker to gain a misissued certificate

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC-091: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addressesBallot SC-091: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addressesVoting Results Certificate Issuers 24 votes in total:

View on cabforum.org → Last fetched 16 hours ago