CAA Record Lookup
Find and interpret CAA (Certification Authority Authorization) records. Walks the DNS tree to show which CA is allowed to issue certs for a domain.
Look up CAA records
Lists CAA records for a domain — these control which certificate authorities are allowed to issue certificates for it. Missing CAA records means any public CA can issue.
Why CAA matters
A CAA record pins your domain to a specific certificate authority. Without one, any public CA the browsers trust may issue a certificate for your name — which is exactly what attackers exploited in the GoDaddy/Komodo and early Let’s Encrypt incidents. Publishing CAA is a free, two-minute mis-issuance defense.
How the tool works
Per RFC 8659, the effective CAA set is the first ancestor in the DNS tree that has any CAA record. This tool walks from the full domain up to the parent zone, querying each level via DNS-over-HTTPS, and shows the first non-empty set along with the full walk trace.
What to look for
issue— CAs allowed to issue non-wildcard certificates.issuewild— CAs allowed to issue wildcards. Absent meansissueapplies to wildcards too.iodef— the mailto/URL a CA reports violations to. Set one.- Flags
128— the critical flag. A CA must refuse issuance if it doesn’t understand the tag.
Related
- DNSSEC check — CAA without DNSSEC is still attackable via DNS hijacking.