Home › Tools › Network & DNS › Network & DNS Tools
CAA Record Lookup
caa-lookupInspect certificate authority authorization records and security policy.
Enter a target and run the tool.
Results
| Type | TTL | Value |
|---|
About CAA Lookup
CAA (Certification Authority Authorization) records let domain owners specify which certificate authorities are allowed to issue TLS certificates for their domain. When a CA attempts to issue a certificate, the baseline requirements published by the CA/Browser Forum require it to query CAA before proceeding. If a CAA record exists and the CA isn't named in it, the CA must refuse the request.
Without CAA records, any of the roughly 200 publicly trusted CAs can issue a certificate for your domain. A CA that gets phished, breached, or receives a forged authorization request could issue a valid certificate for your domain without any notification to you. CAA limits the blast radius: only the CAs you name can be targeted. If a CA you've never used is socially engineered into attempting issuance for your domain, your CAA record stops the attempt at the compliance check.
What this tool shows
The AT USE CAA Lookup queries live DNS for any domain and returns its published CAA records. Each record displays three components: the flag (almost always 0 for standard use), the tag, and the value. The tag determines what the record controls:
- issue — names a CA allowed to issue non-wildcard certificates. Example:
0 issue "letsencrypt.org" - issuewild — names a CA allowed to issue wildcard certificates (*.domain.com). If absent, the issue tag governs wildcards too.
- iodef — designates an incident-response URL or email address. CAs that detect a policy violation must attempt to notify this contact.
Queries run via DNS-over-HTTPS, so results reflect what a CA would see when performing a compliance check during actual certificate issuance.
CAA inheritance and empty values
If no CAA record exists at the queried name, a CA walks up the DNS tree toward the apex and checks each label level for CAA records. A record at example.com covers all subdomains that publish no overriding record. An issue record with an empty value — issue ";" — explicitly forbids all CAs from issuing certificates for that name. This is valid and useful on subdomains that should never receive a publicly trusted certificate.
When to run a CAA lookup
Check CAA after migrating from one TLS provider to another — stale records that still name the old CA prevent the new CA from issuing automatically. Check CAA when adopting Let's Encrypt for automated renewal via ACME — Let's Encrypt requires a CAA record that either names letsencrypt.org or is absent entirely. Check CAA during a security review to confirm that high-value domains restrict issuance to authorized CAs. And check CAA on newly acquired domains or subdomains to understand their current issuance policy before making changes.
Common use cases
- Locking a domain to a single CA after migrating to Let's Encrypt — An engineering team switches from a commercial CA to Let's Encrypt for automated renewal via Certbot. They add a CAA record naming letsencrypt.org for the issue tag and run a lookup to confirm the record is live in DNS. Any issuance attempt by the old CA now fails at the CA's compliance check — the old CA is not listed, so it must refuse. If the old CA detects the attempt, the iodef contact receives a violation notification.
- Auditing a portfolio of domains after a security review — A security team runs a compliance sweep across 60 company domains. The CAA lookup on each confirms which are locked to authorized CAs, which have no restriction at all, and which have stale entries naming decommissioned CAs from past vendors. Domains without any CAA record are flagged for remediation. Domains with stale entries are updated to reflect the current CA lineup.
- Investigating a certificate transparency alert for an unexpected cert — A DevSecOps engineer receives a certificate transparency log alert — a TLS certificate was issued for their domain by a CA they don't recognize. The CAA lookup shows no CAA records on the domain, which is how the unauthorized CA was able to proceed. They immediately add a restrictive CAA record naming only their authorized CA, then contact the mis-issuing CA to request revocation.
- Confirming Let's Encrypt ACME authorization before renewal — A developer sets up automatic certificate renewal using Certbot. The first renewal attempt fails. The error message from Let's Encrypt cites CAA — the domain has a CAA record from a previous setup that doesn't list letsencrypt.org. The CAA lookup confirms the issue. They add the letsencrypt.org entry and the renewal succeeds on the next attempt.
- Verifying a subdomain's issuance policy — An organization has a restrictive CAA policy at the apex domain. A developer adds a new subdomain and wants to confirm whether the apex policy applies or whether the subdomain needs its own CAA record for a different certificate type. The CAA lookup on the subdomain returns no records — DNS inheritance means the apex policy applies. The developer adds a subdomain-level CAA record only if they need different issuance rules there.
How to use this tool
- Enter the domain whose certificate authorization you want to inspect.
- Click "Lookup" to query the live DNS for CAA records.
- Review the issue and issuewild values to see which CAs are allowed.
- Note any iodef contact published for incident notification.
Frequently asked questions
Does CAA prevent all unauthorized certificate issuance?
No. CAA only binds CAs that comply with the CA/Browser Forum baseline requirements. A CA that has already been distrusted by browsers, or one acting fraudulently, is not bound by it. CAA is most effective against compliant CAs being misled or making errors. For more complete monitoring, combine CAA with certificate transparency log alerts — services like crt.sh notify you of any new certificate issuance for your domain regardless of whether the CA complied with CAA.
What happens if a domain has no CAA records at all?
Any publicly trusted CA can issue a certificate for the domain. The lookup returns an empty result set — this is not an error, it means no issuance restrictions have been published. The absence of CAA is common on older domains and those that predate CAA's mandatory CA/Browser Forum status (mandated in September 2017).
Can I set different CAs for regular certificates and wildcard certificates?
Yes. The issue tag controls non-wildcard issuance; issuewild controls wildcard issuance independently. You can allow one CA for standard certificates and a different CA for wildcards. You can also set issuewild to ";" to forbid all wildcard issuance regardless of the issue value — useful when wildcard certificates are not permitted by your organization's policy.
Can I see what CAA records a domain should have before I make changes?
This tool shows you what's currently in DNS. To determine what records you should have, check your TLS vendor's documentation — most CAs publish the exact CAA issue value that names them. Let's Encrypt's value is letsencrypt.org; Google Trust Services uses pki.goog; DigiCert's is digicert.com. Use those values in your issue records.
If I add a CAA record, does it take effect immediately?
CAA records propagate with your DNS TTL — the same as any other DNS change. A TTL of 3600 seconds (1 hour) means most resolvers see the new record within an hour of the change. CAs perform a live DNS query at issuance time, so the record is checked at the moment the certificate is requested, not cached from a previous lookup.