Cert Authorities Check for DNSSEC from Today
The CAB Forum now mandates Certificate Authorities (CAs) to validate DNSSEC when a domain has it enabled, aiming to bolster DNS security for certificate issuance. This change ignites a fierce debate on Hacker News, with proponents championing DNSSEC's cryptographic security benefits for the internet's foundation. However, a vocal contingent, including a well-known security expert, argues it's a moribund, error-prone standard with low adoption that brings more availability risks than security gains.
The Lowdown
A recent change in Certificate Authority (CA) requirements means that as of March 15, 2026, CAs must validate DNSSEC if a domain has it enabled. This applies to critical lookups like CAA records and Domain Control Validation (DCV) during the certificate issuance process. The author of the story, a long-time DNSSEC user, highlights the significance of this mandate, emphasizing that CAs are now legally obliged to perform this validation.<ul><li>The new rule, set by the CAB Forum, applies specifically when DNSSEC is already active on a domain.</li><li>This ensures that responses received by CAs for CAA records (which specify allowed CAs for a domain) and during ACME (Automated Certificate Management Environment) validation are cryptographically verified.</li><li>The author has been running DNSSEC on his domains for 14 years without issues, using both bind9 and PowerDNS.</li><li>He suggests that even for those who don't host their own DNS, it's worth checking if their registrar offers a "one-click" DNSSEC enablement.</li></ul>While seemingly a minor operational change for CAs, this mandate elevates the role of DNSSEC in the certificate ecosystem, prompting questions about its wider adoption and perceived benefits in the internet security landscape.
The Gossip
The Great DNSSEC Debate: Doom or Deliverance?
The comment section quickly devolves into a spirited and long-standing debate over DNSSEC's value. Critics, led by a prominent security expert, argue that DNSSEC is "moribund" with extremely low adoption, especially among top sites (single-digit percentages). They contend it introduces significant availability risks due to complexity and potential misconfiguration, defending against rare, exotic attacks that most entities don't face, and could even be exploited by state-level adversaries. Proponents, however, champion DNSSEC as a vital, cryptographically secure foundation for the internet, arguing that its low adoption stems from "lazy sysadmins," FUD, and a lack of financial incentive for broader deployment, rather than inherent flaws. They see the CA mandate as a positive step towards a more secure web.
Practical Pitfalls & Perceived Pain Points
Beyond the theoretical debate, commenters discussed the practical realities of implementing and maintaining DNSSEC. Many expressed fear of turning it on due to the risk of breaking their entire domain. Concerns were raised about the complexity of key management, especially with manual rotation if registrars lack APIs. The point was made that while some providers might offer "one-click" enablement, it's often not straightforward, particularly when DNS hosting and domain registration are separated (e.g., AWS users). The extra load it might incur on busy sites was also mentioned. Some highlighted that monitoring DNSSEC (and DANE/CAA) externally is crucial.