All Products
Search

This Product

    Certificate Management Service:[Announcement] DigiCert to implement DNSSEC validation for DCV and CAA checks

    Document Center

    Certificate Management Service:[Announcement] DigiCert to implement DNSSEC validation for DCV and CAA checks

    Last Updated:Feb 16, 2026

    Dear Alibaba Cloud user,

    We have been notified by DigiCert that, effective February 24, 2026, DigiCert will begin performing DNSSEC validation on DNS query responses during Domain Control Validation (DCV) and DNS Certification Authority Authorization (CAA) record checks. This change aligns with the CA/Browser Forum SC-085v2 proposal requirements.

    Note

    DNS CAA record check refers to the process where the CA, prior to issuing a certificate, queries the DNS of the target domain to verify if a CAA record is configured. This confirms which CAs are authorized to issue certificates for that domain.

    Changes and impact

    Starting February 24, 2026, DigiCert will enforce DNSSEC validation. The impact on your certificate issuance depends on your domain's configuration:

    • Domains without DNSSEC enabled:

      • No Impact. The existing validation process applies.

    • Domains with DNSSEC enabled and correctly configured:

      • No Impact. DigiCert will validate the signatures, and the checks will pass normally.

    • Domains with DNSSEC enabled but misconfigured:

      • Examples: Incorrect DS records, expired signatures, improper key rotation, or incomplete chain of trust.

      • Impact: DCV and CAA checks will fail. This will cause delays in certificate issuance or block the process entirely.

    Recommended actions

    If your domain has DNSSEC enabled, take the following actions as soon as possible:

    • Self-check and fix: Use the DNSSEC health check tool to inspect your domain. Contact your domain registrar or DNS service provider to ensure DNSSEC is correctly enabled and configured, including DS records, DNSKEYs, the chain of trust, and signature validity.

    • Temporary workaround: If you cannot fix the configuration immediately, consider temporarily disabling DNSSEC to avoid blocking certificate issuance.

    Important reminders (plan ahead)

    • For certificates nearing expiration: If your domain uses DNSSEC, initiate the renewal process as early as possible. This allows sufficient time for troubleshooting and prevents business interruptions caused by validation failures.

    • For domains using CAA records: If you use CAA policies to restrict certificate issuance, ensure that your CAA records can be correctly validated while DNSSEC is enabled.