Ballot SC096: Carve-out for DNSSEC verification logging requirements

Ballot overview

• Ballot SC096 is titled Carve-out for DNSSEC verification logging requirements.
• It proposes a Final Maintenance Guideline modifying the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, based on Version 2.1.9.
• The ballot says DNSSEC verification logging is not in scope for the logging requirements in Section 5.4.1.
• The ballot also states that DNSSEC validation back to the IANA DNSSEC root trust anchor is outside the scope of self-audits under Section 8.7.

Voting and adoption

• Voting results show 27 Certificate Issuer votes in favor, 0 against, and 0 abstentions.
• Voting results show 2 Certificate Consumer votes in favor, 0 against, and 0 abstentions.
• The ballot page states all Bylaw 2.3 requirements were MET, including quorum.
• The ballot page states the ballot passed the Initial Vote.

Review period

• The review period started on 2026-01-15 18:00:00 UTC.
• The review period ended on 2026-02-14 18:00:00 UTC.
• The page says members with Essential Claims had to submit a Notice to Exclude Essential Claims before the end of the Review Period.

Requirement change

• The redline adds language stating that DNSSEC validation back to the IANA DNSSEC root trust anchor is outside the scope of the logging requirements in Section 5.4.1.
• The ballot text says the change is intended to carve out DNSSEC-specific logging requirements because DNS resolvers are not built for extensive logging.
• The ballot text says change management logging can confirm whether the appropriate controls are in effect for audit purposes.

Dates

• Discussion period: 2025-12-15 12:15 UTC to 2026-01-07 16:15 UTC.
• Voting period: 2026-01-07 16:15 UTC to 2026-01-14 16:15 UTC.
• Review period: 2026-01-15 18:00:00 UTC to 2026-02-14 18:00:00 UTC.
• The supplied evidence does not state a separate compliance effective date for the normative change.