Matt Nordhoffmnordhoff@infosec.exchange
Mar 16, 2026, 5:51 PMGood news: As of yesterday, 15 March, Certificate Authorities are required to validate DNSSEC.
Bad news: That means they weren't before!
It's a potential real improvement to the security of the web PKI. Some CAs validated before (Let's Encrypt always has!) but domain owners couldn't prevent issuance by weak link CAs that didn't validate.