From fb4d006d8ea150bdab2325f8d4483c79494e2825 Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Fri, 21 Nov 2025 15:22:28 +0100 Subject: [PATCH 1/2] Carve-out DNSSEC logging requirements --- docs/BR.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/BR.md b/docs/BR.md index 3edd10e4..3afd9a7e 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -773,6 +773,9 @@ Effective March 15th, 2026: CAs MUST NOT use local policy to disable DNSSEC vali DNSSEC validation back to the IANA DNSSEC root trust anchor MAY be performed on all DNS queries associated with the validation of domain authorization or control by Remote Network Perspectives used for Multi-Perspective Issuance Corroboration. DNSSEC validation back to the IANA DNSSEC root trust anchor is considered outside the scope of self-audits performed to fulfill the requirements in [Section 8.7](#87-self-audits). + +DNSSEC validation back to the IANA DNSSEC root trust anchor is considered outside the scope of the logging requirements to fulfill the requirements in [Section 5.4.1](#541-types-of-events-recorded). + CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain. **Note**: FQDNs may be listed in Subscriber Certificates using `dNSName`s in the `subjectAltName` extension or in Subordinate CA Certificates via `dNSName`s in `permittedSubtrees` within the Name Constraints extension. From 00aa4ea35372c84d08ef1cbd4fc1bb8d356d6e09 Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Wed, 10 Dec 2025 16:43:10 +0100 Subject: [PATCH 2/2] Update docs/BR.md --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 3afd9a7e..47db1e17 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -774,7 +774,7 @@ DNSSEC validation back to the IANA DNSSEC root trust anchor MAY be performed on DNSSEC validation back to the IANA DNSSEC root trust anchor is considered outside the scope of self-audits performed to fulfill the requirements in [Section 8.7](#87-self-audits). -DNSSEC validation back to the IANA DNSSEC root trust anchor is considered outside the scope of the logging requirements to fulfill the requirements in [Section 5.4.1](#541-types-of-events-recorded). +DNSSEC validation back to the IANA DNSSEC root trust anchor is considered outside the scope of the logging requirements of [Section 5.4.1](#541-types-of-events-recorded). CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.