Activation of DNSSEC on 02.03.2026

We would like to draw your attention to the planned activation of validation of DNSSEC (when present) for CAA and DCV lookups.

What do I have to do as a customer? 

• Important: There is no obligation for certificate users to activate DNSSEC! 
• No effort if DNSSEC is already configured correctly; moderate effort for DNSSEC reconfiguration or correction. 
• Please note that the change may cause slight delays in the issuing of certificates. 
• Please have a look to the blog "Certificate Authorities to validate DNSSEC" for more information.  

 

Timeline 

The following date for the activation of validation of DNSSEC is planned: 

• Production environment: 2nd of March 2026 

 

Background 

• Current status: Since September 2017, certificate authorities have been required to check whether CAA (Certification Authority Authorisation) records are stored in the DNS for the domain in question before issuing any certificates. These records allow domain owners to specify which CAs are authorised to issue certificates – an important control measure against incorrect issuance. However, the current regulation does not require CAs to verify the authenticity of these DNS responses via DNSSEC. This means that an attacker with man-in-the-middle access to DNS queries could manipulate or remove CAA records. 
• Problem/driver: DNS cache poisoning and DNS spoofing remain relevant attack vectors. Browser manufacturers (especially Mozilla and Google) have been increasingly demanding for years that CAs systematically implement DNSSEC validation. The current ballots are part of a larger initiative to strengthen DNS security in the PKI ecosystem. 

 

Please do not hesitate to contact us if you have any questions. 

Kind regards 

Your SwissSign-Team