DNS
DNSSEC SSL Renewal Failures Explained
By Steven | TrustYourWebsite2 min read
Source: Sucuri Blog
If your website uses DNSSEC, a recent change to how SSL certificates are validated could cause your certificate renewal to fail silently, leaving visitors with a broken padlock warning in their browser.
What happened
According to the Sucuri blog, Sucuri's web application firewall (WAF) began fully supporting CA/Browser Forum Ballot SC-085v2 in March 2026. Since that change, some SSL certificate renewals have been failing for domains where DNSSEC is not configured correctly.
The CA/Browser Forum is the industry body where major certificate authorities and browser makers agree on the rules for issuing SSL certificates. When they pass a ballot like SC-085v2, compliant certificate authorities must follow it. The rule is straightforward: if a domain publishes DNSSEC records, the entire chain of trust must be validated before a certificate can be issued. If that validation fails, the certificate request is rejected.
Why DNSSEC can cause problems
DNSSEC is a security feature that adds cryptographic signatures to your domain's DNS records, protecting against certain types of attacks. Enabling it is generally a good idea. However, it requires ongoing maintenance, and a misconfiguration can break the chain of trust that SC-085v2 now requires to be verified.
According to Sucuri, the most common misconfigurations causing failures include:
- Mismatched or missing DS records at your domain registrar
- Expired RRSIG signatures
- Botched key rollovers
- Inconsistent responses across name servers
- Clock skew or algorithm mismatches
The underlying DNSSEC standards are defined in RFC 4033, RFC 4034 and RFC 4035. These are technical specifications, but the practical point is simple: if any part of your DNSSEC setup is out of date or inconsistent, certificate issuance can be blocked.
What does this mean for your website?
If you have DNSSEC enabled on your domain and your SSL certificate is due for renewal, it is worth checking that your DNSSEC records are correctly configured and up to date, particularly the DS records held at your registrar. A failed renewal can result in a browser warning that discourages visitors from trusting your site. You can find practical steps for keeping your website security settings in order in our security checklist for small businesses.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
DNS
Dutch Operator Invoice Lost: SPF DMARC Failure Explained
A Dutch network operator (netbeheerder) failed to deliver an invoice by email due to misconfigured SPF/DMARC settings, causing emails to be silently rejected by the recipient's mail server.
2 min read