CAA Record Lookup — Certificate Authority Authorization

CAA is a DNS resource record type defined to reduce mis-issuance risk. A domain owner publishes CAA at the zone apex (or relevant label) to declare which certificate authorities are permitted to issue certificates. Certificate authorities are expected to check CAA before signing; failure to find a matching authorization should block issuance unless local policy overrides apply.

Tags matter. The issue tag limits standard certificates. The issuewild tag applies to wildcard certificates. The iodef tag points to a URL or email where policy violations should be reported. Multiple CAA records can coexist; issuers evaluate them according to the specification. Understanding your published tags prevents surprises when switching from one CA to another.

Each CAA record appears as a single line combining a flags byte, a tag name, and a value. A typical issue record might authorize one CA hostname. Flags are usually zero; non-zero flags indicate critical extensions that issuers must understand or reject the entire CAA set.

Our lookup returns raw record strings exactly as resolvers provide them. You do not need to reverse an IP or construct a special query name — CAA lives on the domain label itself, unlike PTR or SRV records that use structured owner names.

Run a lookup before your first automated certificate on a new domain, after acquiring a domain through transfer, or when consolidating TLS under a single CA. Security questionnaires often ask whether CAA is configured; exporting current records documents compliance.

Also check CAA when a certificate order fails with policy errors. If your DNS still authorizes the previous CA but you moved to a new vendor, issuance stops until DNS is updated. TTL on CAA affects how quickly a fix propagates — pair this tool with our DNS TTL checker if you need timing estimates.

CAA inheritance follows DNS tree rules. If a subdomain has no explicit CAA records, resolvers walk up the tree toward the apex. A policy published only at example.com can still constrain www.example.com unless www publishes its own CAA set that overrides inheritance behavior per the standard.

Wildcard certificates consult issuewild tags. If you rely on wildcard TLS, ensure issuewild authorizes your chosen CA or that issue tags cover your operational pattern. Missing issuewild when requesting *.example.com is a frequent misconfiguration discovered only at order time.

Automated Certificate Management Environment clients request certificates from a CA after proving domain control. CAA is an additional gate: even with valid DNS or HTTP validation, the CA should refuse if CAA excludes them. Publishing CAA before enabling ACME reduces the window where an attacker who compromises DNS could obtain a certificate from an arbitrary issuer.

CAA does not replace certificate transparency logs or short-lived certificate practices. It complements them by narrowing which issuers may appear in those logs for your names.

No CAA records means the domain does not publish an explicit CA allowlist. Many sites operate this way. Our tool distinguishes empty record sets from invalid domain input — mistyped domains or bare IP addresses trigger validation errors instead of silent empty lists.

Compare empty results against your security baseline. Regulated environments sometimes mandate explicit CAA even when optional globally. Document the intentional absence the same way you would document an allowlist.

Treat CAA updates like any high-impact DNS change. Lower TTL before edits if your provider supports timed transitions. After publishing new CAA, wait for propagation, then re-run this lookup from an independent resolver path to confirm visibility.

When decommissioning a CA, remove or replace its issue entries before revoking old certificates to avoid service gaps. Order matters: authorize the new CA in CAA, confirm with this lookup, then request the new certificate, then retire old records.

Results reflect public DNS at query time from the resolver path our service uses. Split-horizon DNS, unpublished internal zones, or pending propagation may show different answers inside your corporate network. Always confirm from the perspective of public certificate authorities.

This tool returns CAA only. It does not validate certificate chains, inspect existing certificates on HTTPS ports, or modify DNS. Use our SSL checker and email deliverability tools for adjacent mail and TLS diagnostics.

Include CAA verification in quarterly domain inventories. Export record strings into asset registers alongside NS, MX, and TXT documentation. When multiple teams manage subdomains, centralize CAA policy at the apex where possible to reduce drift.

For acquisitions, scan every hostname in the target portfolio. Legacy zones sometimes contain CAA pointing to CAs the acquirer does not use, blocking unified certificate programs until cleaned up.