Network & DNS › Network & DNS Tools

CAA Record Lookup

caa-lookup

Inspect certificate authority authorization records and security policy.

Enter a target and run the tool.

Related DNS Tools

About CAA Lookup

CAA (Certification Authority Authorization) records are a DNS-based security control that tells certificate authorities (CAs) which of them are allowed to issue TLS/SSL certificates for your domain. Every public CA is required by the CA/Browser Forum baseline requirements to check CAA before issuance — so a properly configured CAA record is a strong defense against unauthorized certificate issuance, whether by misconfigured automation, social engineering of a different CA, or a compromised account at a vendor you no longer use. Our free CAA lookup tool queries the live DNS and lists every CAA record published for the domain you enter, including the issue and issuewild values that name allowed CAs and the iodef value that designates an incident-response email or URL. This is essential when hardening a domain after a security review, when migrating from one TLS provider to another, when adopting Let's Encrypt for automated renewals, or when auditing a portfolio of domains to confirm consistent issuance policy. Free, browser-based via DNS-over-HTTPS, no signup required.

Common use cases

  • Restrict TLS certificate issuance to a single, trusted certificate authority.
  • Audit a domain's issuance policy after a TLS provider migration.
  • Verify Let's Encrypt is allowed via a CAA "letsencrypt.org" entry.
  • Add an incident-response contact (iodef) for unauthorized issuance attempts.
  • Inspect a partner or acquired domain's certificate authorization posture.

How to use this tool

  1. Enter the domain whose certificate authorization you want to inspect.
  2. Click "Lookup" to query the live DNS for CAA records.
  3. Review the issue and issuewild values to see which CAs are allowed.
  4. Note any iodef contact published for incident notification.

Frequently asked questions

Do I need a CAA record?

It is optional but strongly recommended. Without CAA, any public CA may issue a certificate for your domain. With CAA, only the CAs you list can.

What is the difference between issue and issuewild?

The issue tag controls non-wildcard certificates; issuewild controls wildcard certificates. You can allow one CA for non-wildcards and a different CA for wildcards.

What does an empty CAA value do?

A CAA record with an empty issue value (issue ";") explicitly forbids any CA from issuing certificates for the domain.

How do CAs check CAA?

During issuance the CA queries CAA at the requested name and walks up to the apex if none is found. If a record forbids them, they must refuse issuance.