Skip to content
D1
EN

Certificate security

CAA Record Checker

Look up CAA DNS records at the domain apex, parse issue, issuewild and iodef tags, and review issuance warnings.

This form calls the relative endpoint: /site-api/tools/caa

How to use this tool

  1. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
  2. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
  3. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
  4. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
  5. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
  6. CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

What the result shows

The result is split into the signals that matter for this specific check.

FieldPurposeExample
DomainCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Enter the apex domain you are about to certify or renew.
Query nameCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Confirm CAA records exist before requesting a new certificate.
FoundCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Review issue tags for your chosen CA hostname.
ValidCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Compare issuewild separately from apex issue policy.
RecordsCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Add iodef mailto or HTTPS reporting when possible.
issueCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Re-run after DNS TTL when migrating CAs.
issuewildCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Enter the apex domain you are about to certify or renew.
iodefCAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.Confirm CAA records exist before requesting a new certificate.

When this check helps

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

What to review when results look wrong

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

How to interpret the result

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Recommended workflow

  1. Enter the apex domain you are about to certify or renew.
  2. Confirm CAA records exist before requesting a new certificate.
  3. Review issue tags for your chosen CA hostname.
  4. Compare issuewild separately from apex issue policy.
  5. Add iodef mailto or HTTPS reporting when possible.
  6. Re-run after DNS TTL when migrating CAs.

Tool vs manual checks

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.

Why use DN01

  • Live apex CAA lookup
  • Parsed issue, issuewild, and iodef tags
  • Warnings when CAA is missing
  • Unknown tag and critical flag notes
  • Pairs with SSL and DNS tools
  • Shareable CAA result URL

FAQ

CAA record checker FAQ

DNS CAA records, issue and issuewild tags, authorized CAs, and iodef reporting.

What is a CAA DNS record?

CAA is a DNS record type that lists which certificate authorities may issue TLS certificates for a domain using issue, issuewild, and iodef tags. CAA record basics guide

Where should CAA be published?

Publish CAA at the apex of the domain being certified (example.com), not on unrelated hosts unless you certify those names.

What is the difference between issue and issuewild?

issue governs standard certificates; issuewild governs wildcard certificates separately under RFC 8659.

How does DN01 check CAA?

DN01 queries live CAA at the apex, parses tags, groups issue and issuewild values, and flags missing or unknown policy.

What happens when CAA is missing?

When no CAA exists, any publicly trusted CA may issue for the domain—publish CAA before renewal to restrict issuers.

Why check CAA before SSL renewal?

CA migration and ACME orders fail when CAA blocks the new authority—validate policy before opening a certificate request.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common CAA Record Checker tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to CAA Record Checker