Cert Authorities Check for DNSSEC from Today
Starting today, all Certificate Authorities (CAs) are mandated to validate DNSSEC for any domain where it is enabled, enhancing security during the certificate issuance process.
About 14 years ago I set up DNSSEC. I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS.
From today, all Certificate Authorities (CAs) must validate DNSSEC when a domain has it enabled.
So from today, when a CA looks up my CAA record to see if they are allowed to issue a cert for one of my domains, they must validate that the response they received is valid. And during the ACME dance, they have to validate those DNS records too.
I assume that all CA's had implemented this requirement prior to today, if only so they could test it before the deadline was reached. But now it is mandatory, and I expect that any evidence that they are not doing it will be treated harshly.
You might not want to learn about DNSSEC. You probably don't host your own DNS zone. There's a reasonable chance you own your own domain name though if you're here reading this. Why not go find out if your registrar supports DNSSEC for your domains? It might be a one click operation to turn it on...
Source: Hacker News
