Certificate authorities have started checking DNSSEC before issuing TLS certificates. If your domain has DNSSEC enabled and the signatures are invalid, CAs will now refuse to issue a certificate. This is a quiet change that has significant implications for anyone managing web infrastructure.
Let me unpack why this matters.
First, some context. When you request a TLS certificate from a CA like Let's Encrypt or DigiCert, the CA needs to verify that you control the domain. They do this through DNS-based challenges (put this TXT record on your domain) or HTTP-based challenges (put this file on your web server). The CA then issues a certificate that browsers trust.
The problem is that DNS itself isn't inherently secure. Without DNSSEC, an attacker who can manipulate DNS responses (through BGP hijacking, DNS cache poisoning, or compromising an upstream resolver) can potentially pass the CA's domain validation challenge and get a certificate for a domain they don't own. With that certificate, they can impersonate the legitimate site.
DNSSEC adds cryptographic signatures to DNS records, making it possible to verify that DNS responses haven't been tampered with. If a CA checks DNSSEC signatures before issuing a certificate, it adds a layer of protection against DNS-based attacks on the certificate issuance process.
The new behavior is this: if your domain has DNSSEC enabled (meaning your registrar has published DS records in the parent zone), CAs will now validate the DNSSEC chain before proceeding with certificate issuance. If the DNSSEC signatures are invalid - expired, misconfigured, or broken - the CA will refuse to issue.
This is a good thing for security. It's a potentially disruptive thing for operations.
Here's why I'm paying attention: DNSSEC is notoriously easy to break and hard to debug. The signatures expire and need to be rotated. Key rollovers are complex multi-step processes. A misconfigured DNSSEC setup doesn't just fail to provide security - it actively breaks DNS resolution for validators. And now, it also breaks certificate issuance.
If you've enabled DNSSEC on your domains (which many registrars now do by default or encourage), you need to make sure it's properly maintained. A DNSSEC misconfiguration that previously just meant some resolvers couldn't reach your site now also means you can't renew your TLS certificates. Your HTTPS stops working because your DNSSEC is broken. That's a nasty failure mode.
Practical recommendations:
Audit your DNSSEC status. For every domain you manage, check whether DNSSEC is enabled. If it is, verify the signatures are valid using tools like dig +dnssec or online validators like DNSViz.
Monitor DNSSEC health. Set up monitoring that alerts you when DNSSEC signatures are approaching expiration or when validation fails. This was always good practice. It's now critical.
Understand your registrar's DNSSEC automation. Some registrars handle DNSSEC signing and key rotation automatically. Others require manual intervention. Know which category yours falls into.
If you don't need DNSSEC, consider whether it's worth the operational overhead. For most sites, HTTPS with proper certificate management provides sufficient security. DNSSEC adds defense-in-depth but also adds operational complexity. If you can't commit to maintaining it, it might be safer to disable it than to have a broken configuration.
Test certificate renewal in staging. If you use automated certificate renewal (and you should), test it against domains with DNSSEC enabled. Make sure your renewal pipeline handles DNSSEC validation correctly.
The CAs' decision to check DNSSEC is the right call from a security perspective. It closes a real attack vector. But it also raises the bar for DNS operations. DNSSEC has been optional in practice - many sites enabled it but didn't actively maintain it, and the consequences of misconfiguration were limited. That's no longer the case.
If you manage domains with DNSSEC, now is a good time to verify everything is in order. Finding out your DNSSEC is broken when your certificate renewal fails at 3 AM is not how you want to spend your night.