Ballot SMC014: DNSSEC for CAA

Result and adoption

• The ballot SMC014: DNSSEC for CAA is marked as PASSED.
• The ballot is adopted as of October 13, 2025.
• The page states that no IPR Exclusion Notices were filed.

What the ballot changes

• The ballot modifies the S/MIME Baseline Requirements (based on Version 1.0.10) by introducing a Final Maintenance Guideline.
• It introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective.
• The effective date for this DNSSEC validation requirement is stated as effective March 15, 2026.
• The draft also includes minor corrections to web links in the text.

DNSSEC validation requirements (as described in the evidence)

• Effective March 15, 2026, DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective.
• Effective March 15, 2026, CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated with CAA record lookups.
• Effective March 15, 2026, DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue.
• DNSSEC validation back to the IANA DNSSEC root trust anchor MAY be performed on all DNS queries associated with CAA record lookups performed by Remote Network Perspectives as part of Multi-Perspective Issuance Corroboration.

Ballot procedure dates shown in the evidence

• Discussion start time: August 27, 2025 at 17:00:00 UTC
• Discussion end time: September 3, 2025 at 17:00:00 UTC
• Voting start time: September 3, 2025 at 17:00:00 UTC
• Voting end time: September 10, 2025 at 17:00:00 UTC
• IPR review start time: 2025-09-10 18:00:00 UTC
• IPR review end time: 2025-10-10 18:00:00 UTC