DNSSEC

DNSSEC guides and tutorials: sign and validate DNS zones to strengthen your infrastructure security.

11 articles

March 2026

Illustration of the 5 pillars of NIST SP 800-81r3 for DNS security

CaptainDNS · March 21, 2026

NIST SP 800-81r3: what the new DNS security guide changes

Full analysis of NIST SP 800-81r3, released March 19, 2026. Protective DNS, DNSSEC, encrypted DNS: the key recommendations for securing your infrastructure.

Diagram showing the link between DNSSEC, certificate authorities, and TLS certificate issuance after Ballot SC-085v2

CaptainDNS · March 19, 2026

Ballot SC-085v2: certificate authorities now verify DNSSEC before issuing a TLS certificate

Since March 15, 2026, the CA/Browser Forum requires CAs to verify DNSSEC during domain validation. This guide covers the context, impact, and how to check your configuration.

Timeline showing TLS certificate lifetime reduction from 398 to 47 days between 2026 and 2029

CaptainDNS · March 19, 2026

SC-081v3: 47-day TLS certificates, why it matters and how to prepare

The CA/Browser Forum voted to progressively reduce TLS certificate lifetimes from 398 to 47 days by March 2029. Timeline, rationale, impact, and practical guide.

Diagram of the Microsoft 365 MX migration from mail.protection.outlook.com to mx.microsoft with DNSSEC

CaptainDNS · March 6, 2026

Microsoft 365 MX Migration to mx.microsoft: Automatic DNSSEC, Mandatory Graph API, and Action Items Before July 2026

Microsoft is changing DNS provisioning for Exchange Online domains. MX records are moving from mail.protection.outlook.com to mx.microsoft to streamline DNSSEC adoption. Here's what's changing and what you need to do.

February 2026

DNSSEC SERVFAIL diagnosis: decision tree to identify and fix the cause of a SERVFAIL after enabling DNSSEC

CaptainDNS · February 25, 2026

SERVFAIL after enabling DNSSEC: diagnosis and fix

A SERVFAIL after enabling DNSSEC points to a broken chain of trust. This guide covers the five causes, three diagnostic commands, and exact fixes for each scenario.

Diagram showing the DANE flow between an SMTP sender and Exchange Online with DNSSEC and TLSA

CaptainDNS · February 24, 2026

Deploy DANE for Exchange Online and Microsoft 365

Microsoft 365 has supported inbound DANE since 2024. This guide explains how to enable it, configure DNSSEC on your domain, and verify the deployment.

CaptainDNS · February 23, 2026

DANE/TLSA troubleshooting: diagnose and fix common errors

Your DANE setup broke after a certificate renewal? Learn how to identify and fix the 5 most common DANE/TLSA errors.

Architecture diagram showing Postfix, Bind9 and Let's Encrypt connected by DANE/TLSA

CaptainDNS · February 22, 2026

Set up DANE/TLSA with Postfix, Bind and Let's Encrypt

Step-by-step tutorial to deploy DANE on a self-hosted mail server with Postfix, Bind9, DNSSEC and Let's Encrypt.

DNSSEC chain of trust: from the DNS root to your domain, each level verifies the next using cryptographic keys

CaptainDNS · February 22, 2026

Understand the DNSSEC chain of trust in 5 minutes

The chain of trust is the core principle behind DNSSEC. This guide explains every link, from the DNS root to your domain, with clear diagrams.

DANE/TLSA: authenticating email server TLS certificates via DNS and DNSSEC

CaptainDNS · February 21, 2026

DANE/TLSA: the complete guide to authenticating email certificates via DNS

DANE (RFC 6698/7672) binds TLS certificates to domain names using DNSSEC-signed TLSA DNS records. Learn how to deploy it to secure SMTP transport.

Enable DNSSEC with major registrars: Cloudflare, OVH, GoDaddy, Namecheap, Route 53, Google Domains

CaptainDNS · February 21, 2026

Enable DNSSEC: step-by-step guide by registrar

DNSSEC protects your visitors from DNS spoofing. This guide covers step-by-step activation for the 6 most popular registrars, with instant verification.