Knowledge Base

DNSSEC and Certificate Issuance Reference 

Overview: 
This document provides technical specifications for how DNS Security Extensions (DNSSEC) affect certificate issuance workflows including validation requirements, error conditions, and best‑practice guidance for reliable certificate enrollment.  

 

1. DNSSEC Overview 

Description: 
DNSSEC ensures that DNS responses are authenticated and unmodified by validating them through a chain of trust from the DNS root to the domain. For DNSSEC‑signed domains, all DNS responses involved in certificate issuance must pass DNSSEC validation.  

 

2. DNSSEC Validation Requirements for Certificate Issuance 

Signed Domains 

• A domain is DNSSEC‑signed when a DS (Delegation Signer) record exists in the parent zone. 

• DNSSEC validation is mandatory. 

• All DNS responses must be correctly signed. 

• Any DNS or DNSSEC error blocks certificate issuance. 

• Applies to both Domain Control Validation (DCV) and CAA checks. 
   

Unsigned Domains 

• No DS record exists in the parent zone. 

• DNSSEC validation is not enforced. 

• Certificate issuance may proceed with normal DNS rules. 

• An unsigned domain is not an error condition by itself. 

 
 

 

3. CAA Checks and DNSSEC 

CAA records define which Certificate Authorities may issue certificates for a domain. CAA checks are performed for: 

• Every certificate request 

• Every Subject Alternative Name (SAN) 

During CAA evaluation, the CA performs a DNS tree traversal from the requested domain up to the IANA root (“.”). 

For DNSSEC signed domains, every step must return a valid, signed DNS response. Any DNS or DNSSEC error immediately blocks issuance. CAA checks cannot be skipped. 

 

4. Common DNSSEC Related Errors 

DS Record Exists but DNSKEY Record Is Missing 

The parent zone indicates DNSSEC, but the domain does not publish a matching DNSKEY. 

Impact: Certificate issuance is blocked. 

 

DS and DNSKEY Records Do Not Match 

The DS record does not cryptographically match the DNSKEY record. 

Impact: DNSSEC validation fails and issuance is blocked. 

 

Multiple DS Records with One Invalid Key 

One or more DS/DNSKEY pairs fail validation. 

Impact: Issuance is blocked under strict DNSSEC enforcement. 

 

Lame Delegation 

The domain is delegated to name servers that are not publicly reachable. 

Impact: CAA validation fails and issuance is blocked. 

 

DNS Resolution Failure During CAA Evaluation 

A DNS error (for example, SERVFAIL or REFUSED) occurs during tree traversal. 

Impact: CAA checking stops and the request fails. 

5. Common DNSSEC‑Related Failure Conditions 

Failure Type	Required?	Description
Missing DNSKEY with Existing DS	Yes	Parent indicates DNSSEC, but no DNSKEY is published → issuance blocked.
DS and DNSKEY Mismatch	Yes	DNSSEC validation fails due to cryptographic mismatch → issuance blocked.
One Invalid Key Among Multiple DS Records	Yes	One or more DS/DNSKEY pairs fail validation → issuance blocked.
Lame Delegation	Yes	DNS servers listed are not publicly reachable → CAA validation fails → issuance blocked.
DNS Resolution Failure (SERVFAIL/REFUSED)	Yes	CAA tree traversal fails due to DNS error → issuance blocked.

 

6. Key Parameters 

Parameter	Type	Required	Description
DS Record	DNS Resource Record	Conditional	Indicates DNSSEC signing at parent zone.
DNSKEY Record	DNS Resource Record	Yes, for signed zones	Must match DS; required for DNSSEC validation.
CAA Record	DNS Resource Record	No	Restricts which CAs may issue certificates. Validation still occurs even if record is absent.

 

7. Technical Best Practices 

Maintain a Clean DNSSEC Configuration 

• Ensure DS and DNSKEY records match 

• Remove unused DS records during key rotation 

• Avoid publishing invalid or partial DNSSEC data 

 

Avoid Lame Delegations 

• Ensure all authoritative name servers are publicly reachable 

• Do not delegate public domains to internal only DNS servers 

• Do not utilize public CA certificates for internal domain names 

• Periodically test delegated zones from the public internet 

 

Plan DNS Changes Carefully 

• Follow provider guidance for DNSSEC key rollovers 

• Allow time for DNS propagation 

• Avoid DNSSEC changes immediately before certificate renewal 

 

Validate DNSSEC Regularly 

• Use public tools to validate the full DNSSEC chain 

• Retest after DNS changes or issuance failures 

 

Treat DNSSEC Failures as DNS Issues 

• DNSSEC failures are typically DNS configuration problems 

• Adding a CAA record does not fix broken DNSSEC 

• Correcting DNS at the source is the most reliable solution 

 

 

8. Diagnostic Tools 

DNSSEC Validation Tools 

• VeriSign DNSSEC Debugger: https://dnssec-analyzer.verisignlabs.com/ 

• DNSViz: DNSViz | A DNS visualization tool 

• Internet Society DNSSEC Tools: DNSSEC Tools - Internet Society 

• WhatsMyDNS DNSSEC Checker: DNSSEC Checker - Check the DNSSEC status of any domain 

• DNSSEC Resolver Test 
  DNSSEC Resolver Test 

CAA Lookup Tools 

• Nslookup.io CAA Lookup: CAA Lookup – Verify Certificate Authority Authorization 

• WhatsMyDNS CAA Records: CAA Record Lookup - Check Certification Authority Authorization (CAA) DNS records for any domain 

 

9. Frequently Asked Questions 

Do I need a CAA record to issue a certificate? 
No. CAA records are optional and only restrict which CAs may issue certificates. 

Why does issuance fail if I don’t have a CAA record? 
Issuance may fail due to DNS or DNSSEC errors, especially for DNSSEC signed domains. 

Can adding a CAA record fix DNSSEC issues? 
It may allow issuance to proceed but does not resolve underlying DNSSEC problems. 

 

10.Key Points 

• DNSSEC improves DNS security and enforces strict validation 

• DNSSEC signed domains allow no DNS resolution errors 

• CAA validation commonly fails due to DNSSEC or delegation issues 

• Lame delegations are a frequent root cause 

• Clean, publicly resolvable DNS is essential for certificate issuance