← CABF Ballot Browser
SC-094v2 passed

Ballot SC094v2: DNSSEC exception in email DCV methods

Server Certificate Working Group

Key dates

Effective date
15 Mar 2026 3 months ago
Voting opened
08 Jan 2026 5 months ago
Voting closed
15 Jan 2026 5 months ago
Discussion opened
19 Dec 2025 6 months ago
Discussion closed
26 Dec 2025 5 months ago

Resources

GitHub diff https://github.com/cabforum/servercert/compare/a9f40a597e45605e499bc73a64aaa1d607bd5b0a https://github.com/cabforum/servercert/compare/a9f40a597e45605e499bc73a64aaa1d607bd5b0a
± Redline https://cabforum.org/2026/01/15/ballot-sc094v2-dnssec-exception-in-email-dcv-methods/BR-SC094-redline.pdf TBR-SC94-redlined.pdf
± Redline https://cabforum.org/2026/01/15/ballot-sc094v2-dnssec-exception-in-email-dcv-methods/BR-SC094-redline.docx TBR-SC94-redlined.docx
Document https://cabforum.org/2026/01/15/ballot-sc094v2-dnssec-exception-in-email-dcv-methods/BR-SC094.pdf TBR-SC94.pdf
Document https://cabforum.org/2026/01/15/ballot-sc094v2-dnssec-exception-in-email-dcv-methods/BR-SC094.docx TBR-SC94.docx
Document https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf

AI Summary

Generated 2026-06-23 21:11 UTC

Ballot overview

  • Ballot code/title: SC094v2: DNSSEC exception in email DCV methods
  • Working group: Server Certificate Working Group
  • Purpose: Modify the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates (based on Version 2.1.9) to propose a Final Maintenance Guideline.
  • Context described on the ballot page: After discussions around DNSSEC enforcement for all Domain Validation methods, and with the WG’s decision that e-mail Domain Validation methods are scheduled to be deprecated (SC090), the ballot proposes an exception to DNSSEC enforcement for those methods.
  • Additional note: This version (2) fixes an inconsistency issue raised on the SCWG public list.

What changes (as shown in the provided diff text)

  • The diff text shows a change to DNSSEC validation requirements, including:
    • Effective March 15th, 2026: For e-mail Domain Validation methods described in sections 3.2.2.4.4, 3.2.2.4.13, 3.2.2.4.14, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on DNS CNAME, CAA, TXT queries attempting to obtain the Authorization Domain Name associated with validation of domain authorization or control by the Primary Network Perspective, and CAs MUST NOT use local policy to disable DNSSEC validation.
    • For all other DNS queries, DNSSEC validation back to the IANA DNSSEC root trust anchor SHOULD be performed and CAs SHOULD NOT use local policy to disable DNSSEC validation.
    • For all other Domain Validation methods, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with validation of domain authorization or control by the Primary Network Perspective, and CAs MUST NOT use local policy to disable DNSSEC validation.

Approval and voting results (from the ballot page)

  • Voting Members (Certificate Issuer category): 26 votes in total; 26 YES, 0 NO, 0 ABSTAIN.
  • Voting Members (Certificate Consumer category): 2 votes in total; 2 YES, 0 NO, 0 ABSTAIN.
  • Bylaws requirements: The ballot page states that the relevant adoption requirements under Bylaw 2.3(6) and Bylaw 2.3(7) were MET, including quorum of 17.
  • Result shown on the page: Voting Results indicate the ballot passed (current_status: passed).
Model: gpt-5.4-nano Confidence: 0.74 Result: passed
Effective date
2026-03-15
Voting opened
2026-01-08
Voting closed
2026-01-15
Discussion opened
2025-12-19
Discussion closed
2025-12-26
Applicability and conditions

2026-03-15 — For those e-mail Domain Validation methods, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on DNS CNAME, CAA, TXT queries attempting to obtain the Authorization Domain Name associated with validation of domain authorization or control by the Primary Network Perspective, and CAs MUST NOT use local policy to disable DNSSEC validation; for all other DNS queries, DNSSEC validation SHOULD be performed and CAs SHOULD NOT use local policy to disable DNSSEC validation. Applies to e-mail Domain Validation methods described in sections 3.2.2.4.4, 3.2.2.4.13, 3.2.2.4.14 (and distinguishes DNS query types and network perspective as described in the diff text).

2026-03-15 — For all other Domain Validation methods, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with validation of domain authorization or control by the Primary Network Perspective, and CAs MUST NOT use local policy to disable DNSSEC validation. Applies to all other Domain Validation methods (as described in the diff text).

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 26 yes 0 no 0 abstain
Certificate Consumers 2 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

28 Yes
0 No
0 Abstain

100% yes · 0% no

Proposers

Dimitris Zacharopoulos (HARICA) and endorsed by Roman Fischer (SwissSign) and Adriano Santoni (Actalis).

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC094v2: DNSSEC exception in email DCV methodsBallot SC094v2: DNSSEC exception in email DCV methodsVoting Results Certificate Issuers 26 votes in total:

View on cabforum.org → Last fetched 16 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action