Certificate security
CAA Record Checker
Look up CAA DNS records at the domain apex, parse issue, issuewild and iodef tags, and review issuance warnings.
How to use this tool
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
- CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. Inventory current and future CAs, publish issue for each authorized authority, add issuewild when wildcards are required, optionally publish iodef, then validate with this tool before opening a CSR or ACME order. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
What the result shows
The result is split into the signals that matter for this specific check.
| Field | Purpose | Example |
|---|---|---|
| Domain | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Enter the apex domain you are about to certify or renew. |
| Query name | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Confirm CAA records exist before requesting a new certificate. |
| Found | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Review issue tags for your chosen CA hostname. |
| Valid | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Compare issuewild separately from apex issue policy. |
| Records | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Add iodef mailto or HTTPS reporting when possible. |
| issue | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Re-run after DNS TTL when migrating CAs. |
| issuewild | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Enter the apex domain you are about to certify or renew. |
| iodef | CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice. | Confirm CAA records exist before requesting a new certificate. |
When this check helps
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Use the checker during CA migrations, wildcard certificate planning, security questionnaires, and pre-renewal audits. CAA does not replace SSL validation — pair results with SSL Certificate Checker to confirm the live chain after issuance. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
What to review when results look wrong
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
If no records appear, query CAA at the exact FQDN being certified — usually the apex, not www unless you certify that host. An empty answer means any public CA may issue. After edits, wait for TTL and compare raw answers with dig +short CAA example.com. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
How to interpret the result
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
CAA (Certification Authority Authorization) is published as DNS CAA records at the domain apex. Before issuing a certificate, publicly trusted CAs must check CAA and honor issue, issuewild, and iodef tags. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Recommended workflow
- Enter the apex domain you are about to certify or renew.
- Confirm CAA records exist before requesting a new certificate.
- Review issue tags for your chosen CA hostname.
- Compare issuewild separately from apex issue policy.
- Add iodef mailto or HTTPS reporting when possible.
- Re-run after DNS TTL when migrating CAs.
Tool vs manual checks
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "issue tag and authorized certificate authorities", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "issuewild and wildcard TLS certificates", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "iodef incident reporting URLs", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "missing CAA and permissive issuance", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "CAA checks before SSL renewal", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
dig CAA example.com shows raw RRs but does not group issue versus issuewild or explain permissive absence. DNS Checker lists CAA among other types yet lacks issuance-focused warnings. DN01 uses the same Go lookup as the production API and returns shareable result pages. For "critical flag semantics for subdomains", treat published CAA as the issuance contract CAs must evaluate at order time. Document each tag, confirm wildcard policy separately, and verify iodef reporting before renewal. After DNS changes, re-run the same domain to prove tags are visible and aligned with your CA choice.
Why use DN01
- Live apex CAA lookup
- Parsed issue, issuewild, and iodef tags
- Warnings when CAA is missing
- Unknown tag and critical flag notes
- Pairs with SSL and DNS tools
- Shareable CAA result URL
FAQ
CAA record checker FAQ
DNS CAA records, issue and issuewild tags, authorized CAs, and iodef reporting.
What is a CAA DNS record?
CAA is a DNS record type that lists which certificate authorities may issue TLS certificates for a domain using issue, issuewild, and iodef tags. CAA record basics guide
Where should CAA be published?
Publish CAA at the apex of the domain being certified (example.com), not on unrelated hosts unless you certify those names.
What is the difference between issue and issuewild?
issue governs standard certificates; issuewild governs wildcard certificates separately under RFC 8659.
How does DN01 check CAA?
DN01 queries live CAA at the apex, parses tags, groups issue and issuewild values, and flags missing or unknown policy.
What happens when CAA is missing?
When no CAA exists, any publicly trusted CA may issue for the domain—publish CAA before renewal to restrict issuers.
Why check CAA before SSL renewal?
CA migration and ACME orders fail when CAA blocks the new authority—validate policy before opening a certificate request.
Tool switcher
Continue with another check
Pick the next step in your domain or security workflow.
- SSL Certificate CheckerCertificate chain, SAN and TLS versionOpen
- DNS CheckerAll major record types in one passOpen
- DIGOne record type, resolver-style answerOpen
- Domain IP LookupA and AAAA IP addresses for a domainOpen
- Domain Age CheckerCreation date, age, registrar and expiryOpen
- WHOISRegistrar, expiry and domain statusOpen
- HTTP Header CheckerResponse headers, redirects and cachingOpen
- HTTP/2 TesterHTTP/2 support, ALPN and TLS negotiationOpen
- Blacklist CheckerDNSBL reputation for IP and domainOpen
- Punycode ConverterUnicode ↔ Punycode for IDN domainsOpen
- URL SplitterBreak a URL into parts and query paramsOpen
- Base64 CodecEncode and decode Base64 textOpen
- Password GeneratorStrong random passwords for ops workOpen
- Password Strength CheckerEntropy, crack time and password suggestionsOpen
- Passphrase GeneratorMemorable random word phrases for safer sharing testsOpen
- BIN CheckerCard brand, bank and country from BIN/IINOpen
- IP CalculatorSubnet math for IPv4 and IPv6 CIDROpen
- Browser Update CheckerBrowser version, update status and Client HintsOpen
- SPF ValidatorValidate SPF TXT records, mechanisms and terminal allOpen
- DMARC AnalyzerDMARC policy, alignment and reporting checksOpen
Related articles
Practical guides for common CAA Record Checker tasks — DNS records, troubleshooting steps, and links to our free tools.
caa record basics, caa record checker, caa dns
CAA record basics at the domain apex
CAA record basics at the domain apex. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →issue tag authorized cas, caa record checker, caa dns
issue tag and authorized certificate authorities
issue tag and authorized certificate authorities. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →issuewild wildcard certificates, caa record checker, caa dns
issuewild and wildcard TLS certificates
issuewild and wildcard TLS certificates. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →iodef incident reporting, caa record checker, caa dns
iodef incident reporting for certificate policy violations
iodef incident reporting for certificate policy violations. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →caa before ssl renewal, caa record checker, caa dns
CAA checks before SSL certificate renewal
CAA checks before SSL certificate renewal. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →shareable caa record checker results, caa record checker, caa dns
Shareable CAA record checker result pages
Shareable CAA record checker result pages. CAA restricts which publicly trusted certificate authorities may issue TLS certificates for a domain by publishing DNS CAA records at the apex. DN01 returns parsed tags, warnings, recommendations, and a shareable result URL for the same domain after DNS edits.
Read article →