Cert Authorities Check for DNSSEC from Today

The internet’s certificate bouncers just got stricter: starting now, Certificate Authorities (the folks who grant HTTPS padlocks) must validate DNSSEC if you’ve turned it on. DNSSEC is a security upgrade to the internet’s phonebook, and commenters are split between “about time” and “please don’t make me push that button.” As HN regular tptacek calmly clarifies, CAs now must check DNSSEC when verifying domain control (DCV) and who’s allowed to issue your certs (CAA)—and yes, Let’s Encrypt already does this. The crowd reaction? Pure drama.

One camp is spooked: baggy_trough admits, “I’m too afraid to turn it on,” while rmoriz shares a war story—signing with the wrong keys once broke DANE (another security feature tied to DNSSEC), urging external monitoring to avoid “one-click” disasters. On the other side, indolering is swinging a crypto sword, praising DNS as a “free, secure, distributed” backbone and roasting “lazy sys admins” for spreading FUD, even linking to the classic anti-DNSSEC polemic at sockpuppet.org. Meanwhile, tptacek drops a sly aside—“Seems… unlikely”—in a meta squabble over who argues about DNSSEC more, fueling popcorn-level snark.

Jokes fly about the ACME dance (the automated cert process) now having a stricter chaperone, and the mood is peak tech soap opera: will “one-click DNSSEC” be your glow-up or your meltdown?