Speed up SSL issuance
GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.
Industry Update: DNSSEC checks will become mandatory for certificate issuance (starting Feb 24 / Mar 15, 2026)
-
New CA/Browser Forum rules are tightening how Certificate Authorities validate domains before issuing certificates. If a domain is DNSSEC-enabled, the CA must validate DNSSEC when performing:
- DCV (Domain Control Validation) — proving you control the domain
- CAA checks — confirming DNS allows a specific CA to issue for that domain
- If DNSSEC is enabled and DNSSEC validation fails, certificate issuance must be blocked.
-
-
!
Key dates you should know
- February 24, 2026 — DigiCert begins enforcing DNSSEC validation (when DNSSEC is present) during DCV + CAA checks.
- March 15, 2026 — CA/Browser Forum Baseline Requirements make DNSSEC validation mandatory for relevant DNS lookups (industry-wide effective date in the BR text).
- March 12, 2026 (Sectigo operational date) — Sectigo’s compliance hub also highlights broader 2026 compliance changes (including DCV reuse shortening and reminders to ensure DNSSEC signing is correctly configured if enabled).
-
*
Who is affected
Customers whose domains are DNSSEC-signed (DNSSEC is enabled at the registrar/DNS provider). If their DNSSEC setup is broken or incomplete, then DCV/CAA checks can fail and the certificate cannot be issued/reissued until DNSSEC is fixed.
Customers whose certificate domains do not have DNSSEC enabled — nothing changes in their issuance flow
-
*
Check your DNSSEC configuration
If you have DNSSEC enabled, it’s very important to check your DNSSEC configuration for all of your certificate domains prior to the enforcement of DNSSEC validation.
- Verify whether DNSSEC is enabled for every domain (and subdomain) used on certificates.
- If DNSSEC is enabled, test DNSSEC health and fix any errors before issuance deadlines.
- If DNSSEC is enabled and you don’t need it, consider discussing with your DNS provider whether to keep it enabled (DNSSEC can be beneficial, but it must be maintained correctly).
-
*
Tools / guidance
- DigiCert recommends using their DNSSEC checking approach (they reference a DNSSEC health checking tool and provide examples of common failure reasons).
- Your DNS host/registrar is usually the fastest path to fix DNSSEC because they control signing keys and DS/DNSKEY changes.
-
-
-
?
FAQ (quick answers)
- Do I need to enable DNSSEC for my SSL to work?
No. Certificates can be issued without DNSSEC. This change only affects domains that already have DNSSEC enabled. - What happens if DNSSEC is enabled but broken?
Starting enforcement, DNSSEC errors can block DCV and/or CAA checks, preventing issuance until DNSSEC is fixed. - Which products are impacted?
This applies broadly to products requiring domain validation and/or CAA checks (including Public TLS DV/OV/EV and Secure Email/S/MIME).
- Do I need to enable DNSSEC for my SSL to work?
-
Similar articles from General Questions
Order cancellation and refund rulesMonthly Billing serviceDis-allowed Domain names / regionsTAX/VAT rulesComodo is now SectigoMulti-year Subscription SSLMDF Partner ProgramCode Signing New Industry standards 2023SSL Certificate Lifecycles Are ShorteningSectigo Public Root CAs MigrationDNSSEC checks become mandatory