← Back to context

Comment by tptacek

10 hours ago

The fact that it's 2026 and the CAs are only now getting around to requiring any CA to take DNSSEC, which has in its current form been operational for well over a decade, makes you take DNSSEC more seriously?

10 comments

tptacek

Reply
alwillis  4 hours ago

LetsEncrypt has been checking for DNSSEC since they launched 10+ years ago.

       The ACME standard recommends ACME-based CAs use DNSSEC for validation, section 11.2 [1]:
       An ACME-based CA will often need to make DNS queries, e.g., to
       validate control of DNS names.  Because the security of such
       validations ultimately depends on the authenticity of DNS data, every
       possible precaution should be taken to secure DNS queries done by the
       CA.  Therefore, it is RECOMMENDED that ACME-based CAs make all DNS
       queries via DNSSEC-validating stub or recursive resolvers.  This
       provides additional protection to domains that choose to make use of
       DNSSEC.

       An ACME-based CA must only use a resolver if it trusts the resolver
       and every component of the network route by which it is accessed.
       Therefore, it is RECOMMENDED that ACME-based CAs operate their own
       DNSSEC-validating resolvers within their trusted network and use
       these resolvers both for CAA record lookups and all record lookups in
       furtherance of a challenge scheme (A, AAAA, TXT, etc.).

[1]: https://datatracker.ietf.org/doc/html/rfc8555/#section-11.2

  • tptacek  4 hours ago

    Yes, that's my understanding as well. You'll notice my top-level comment from a few hours ago says that as well.

    (You edited your comment to include more detail about when LE started validating DNSSEC; all I know is that it's been many years that they've been doing it.)

thenewnewguy  10 hours ago

Why dodge the question? Clearly they care today, and I live in today.

If we're doing to defer to industry, does only the opinion of website operators matter, or do browsers and CAs matter too? Browsers and CAs tend to be pretty important and staff big security teams too.

  • rstupek  10 hours ago

    Are they requiring DNSSEC in order to acquire the certificate? That would be a better indicator to me that it's not security theater=security

    • Bender  10 hours ago

      Barely 5% of the internet have DNSSEC signed zones and a big chunk of that are handled by CDN's that do the signing automagically for the domain owner as they also host SOA DNS. Mandating DNSSEC would require years of planning and warning those that have not yet set it up and in my opinion DNSSEC tooling should become a better first class citizen in all of the authoritative DNS daemons. as in there should be so many levels of error handling and validation that it would be next to impossible for anyone to break their zones.

      So do we wait for all the stragglers? Wait for the top 500 or top 2500 to make it mandatory? Who takes financial responsibility for those that fell through the cracks?

    • tptacek  10 hours ago

      No CA requires DNSSEC. Obviously they can't: almost nothing is signed. The only change "today" is that technically CAs are now required to honor DNSSEC, where they weren't before.

      4 replies →