AAuditOPE
Înapoi la blog
Securitate·5 min read

Mandatul DNSSEC din martie 2026 îți va bloca renewal-ul SSL (și aproape niciun tool de audit nu te previne)

Ballot CA/B Forum SC-085v2 face validarea DNSSEC obligatorie pentru emitere certificate de la 15 martie 2026. DNSSEC greșit configurat = zero renewal SSL. Sub 10% din tools de audit verifică asta — Auditope o face.

ℹ️ Articol disponibil în engleză. O versiune română completă va fi publicată în curând.

The CA/Browser Forum passed Ballot SC-085v2 in late 2024 mandating DNSSEC validation for all certificate issuance starting 15 March 2026. Practical consequence: if your domain has DNSSEC misconfiguration (broken chain, expired RRSIG, missing DS record at parent), your CA will refuse to issue or renew your SSL certificate. No certificate = site offline.

The trap: DNSSEC adoption is < 10%

DNSSEC has been around since 1997. Adoption stalled at ~10% of top-1M domains because it adds operational complexity (key rotation, RRSIG re-signing, DS record sync with parent zone) without immediate visible benefit. Many sites partially configure DNSSEC and never finish, leaving broken state that worked because nothing checked.

That changes 15 March 2026.

What can break

  • Missing DS record at registrar: you configured DNSSEC at your DNS host (Cloudflare, Route53), but never added the DS record at your domain registrar (Namecheap, GoDaddy). The chain is incomplete.
  • RRSIG expired: signatures have a validity window (typically 14 days). If your re-signing cron failed silently, expired signatures cause resolver failures.
  • Algorithm mismatch: parent zone DS uses SHA-256, your zone uses SHA-1. Validation fails.
  • NSEC walking exposure: NSEC (non-NSEC3) allows zone enumeration. Not a renewal blocker but a security concern.

How to test now (free)

Open Verisign DNSSEC Analyzer or DNSViz and paste your domain. Look for any red flags or broken-chain errors. Both are free, no signup.

For automated regression: AuditOPE's P2.3 phase (shipped v0.18.3) checks DNSSEC chain, DS presence at parent, CAA record validity, and HSTS preload eligibility — all in one audit. The DNSSEC finding is HIGH severity with explicit deadline reference.

Fix recipe

  1. Identify your DNS host's DNSSEC docs (Cloudflare, Route53, BIND, Bunny — all have how-tos).
  2. Enable DNSSEC signing on the zone.
  3. Copy the generated DS record (type 257, with key tag + algorithm + digest).
  4. Paste at registrar (look for "DNSSEC" or "DS records" section).
  5. Wait 24h for propagation. Re-test with Verisign Analyzer until all green.
  6. Set up monitoring (Datadog, UptimeRobot, custom cron) for DNSSEC expiry alerts.

Don't wait until 14 March 2026 to discover your DNSSEC is broken. Fix it now.

Vrei o analiză similară pe site-ul tău?

Rulează un audit gratuit →