An important update: DigiCert has postponed the start date for DNSSEC validation.
Originally scheduled for 24 February 2026, validation will now begin on 3 March 2026 at 17:00 UTC (18:00 CET).
From that moment, DigiCert will validate DNSSEC (when enabled) as part of:
- Domain Control Validation (DCV)
- CAA checks
This change follows the updated TLS Baseline Requirements.
What this means for you
DNSSEC is optional.
If DNSSEC is not enabled on your certificate domains, you are not impacted and no action is required.
However, we strongly recommend verifying that DNSSEC has not been enabled on any domains used for certificate issuance within your organisation.
If DNSSEC is enabled, please review your configuration before 3 March.
Why this matters
DigiCert has already seen DNSSEC validation errors during certificate requests, which highlights the importance of reviewing your configuration before 3 March.
- Until 3 March 2026: certificates may still be issued even if DNSSEC errors are detected.
- From 3 March 2026 onwards: DNSSEC validation errors will block certificate issuance.
To avoid disruption, we recommend testing your domains in advance.
You can use DigiCert’s DNSSEC checking tool to identify configuration issues and review suggested fixes.
For environment-specific support, please contact your DNS provider. They can assist you with the correct remediation steps.
More information
Full details are available in DigiCert’s official announcement:
https://knowledge.digicert.com/alerts/digicert-validating-dnssec-to-verify-domain-control-and-perform-caa-checks