CAA Record Lookup
Check which certificate authorities are authorized to issue SSL certificates for your domain.
About DNS Lookup
Complete DNS lookup tool that queries A, AAAA, MX, TXT, NS, CNAME, and other DNS record types from multiple global DNS servers.
Key Features
Multiple record types (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA)
Multi-region DNS resolution
Propagation checking
TTL information
Reverse DNS lookup
CAA (Certification Authority Authorization) records are a critical security control that specifies which certificate authorities are permitted to issue SSL/TLS certificates for your domain. Since 2017, all CAs are required to check CAA records before issuing certificates, making this a key defense against unauthorized certificate issuance.
Our CAA lookup tool queries your domain's CAA configuration from multiple global locations, helping you verify that your certificate authority restrictions are properly configured and consistently propagated. This is essential when troubleshooting SSL certificate issuance failures, auditing your domain's security posture, or ensuring that only your approved CAs can issue certificates.
If your SSL certificate request is being rejected, check CAA first, then verify your SSL certificate configuration and hostname coverage. For wildcard certificates, ensure your CAA includes the "issuewild" tag for your CA.
**Methodology:** CAA record queries from 6 regions showing authorized certificate authorities with issue/issuewild flags.
Common DNS Errors & How to Fix Them
4 relevant issuesNo CAA records are configured for this domain. While not an error per se, this means any certificate authority can issue SSL certificates for your domain, which may be a security concern.
1) Check current CAA: dig example.com CAA +short. 2) Add CAA in DNS panel: "0 issue letsencrypt.org" (for Let's Encrypt). 3) For notifications: "0 iodef mailto:security@example.com". 4) Verify propagation: dig @8.8.8.8 example.com CAA +short. Example for multiple CAs: add separate issue record for each.
Your CAA records do not authorize the certificate authority you're trying to use. The CA is required to check CAA records and will refuse to issue if not listed.
1) Check existing CAA: dig example.com CAA +short. 2) Add your CA: "0 issue letsencrypt.org" (Let's Encrypt), "0 issue digicert.com" (DigiCert), "0 issue amazonaws.com" (ACM). 3) For wildcards: "0 issuewild letsencrypt.org". 4) Verify: dig example.com CAA. 5) Wait 5-10 min for propagation, retry cert issuance.
The CAA record has an incorrect format. CAA records require a specific structure: flag, tag, and value. Common mistakes include wrong tag names or missing quotes around values.
1) Correct format: 0 issue "letsencrypt.org" (flag=0, tag=issue, value in quotes). 2) Valid tags: issue, issuewild, iodef. 3) Check current record: dig example.com CAA. 4) Common mistakes: missing quotes, typos in CA domain, using "issuer" instead of "issue". 5) Test after fix: dig @8.8.8.8 example.com CAA +short
The domain name does not exist in DNS. This means no DNS records of any type were found for this domain.
1) Verify spelling: dig example.com ANY. 2) Check registration: whois example.com (look for "Status: active"). 3) Verify NS at registrar matches your DNS provider. 4) If recently registered, wait 24-48 hours and test with: dig @8.8.8.8 example.com
Frequently Asked Questions
4 relevant questionsCAA (Certification Authority Authorization) records specify which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Before issuing a certificate, CAs are required to check CAA records. For example, "0 issue letsencrypt.org" allows only Let's Encrypt to issue certificates. This prevents unauthorized certificate issuance, protecting against man-in-the-middle attacks where an attacker obtains a fraudulent certificate for your domain.
CAA records use three main tags: "issue" (allows a CA to issue standard certificates), "issuewild" (allows wildcard certificates), and "iodef" (email/URL for violation reports). A typical setup might include: "0 issue letsencrypt.org" for Let's Encrypt, "0 issue digicert.com" for DigiCert, and "0 iodef mailto:security@yourdomain.com" for notifications. If you use multiple CAs, add an issue record for each. Use "0 issue ;" to block all CAs if you don't use SSL.
If your SSL certificate issuance fails with a CAA error, your CAA records don't authorize that certificate authority. Check your CAA records with a lookup tool—you'll see which CAs are allowed. Solutions: 1) Add a CAA record for your CA (e.g., "0 issue letsencrypt.org"), 2) Remove overly restrictive CAA records, or 3) Ensure there are no typos in CA domain names. Remember that CAA records are checked at the exact moment of issuance, so changes need time to propagate.
Wildcard certificate issuance requires the "issuewild" CAA tag, not just "issue". If you have "0 issue letsencrypt.org" but no issuewild record, Let's Encrypt can issue standard certificates but NOT wildcards. To allow wildcards, add "0 issuewild letsencrypt.org". If issuewild is absent, the CA falls back to checking the issue tag. Set "0 issuewild ;" to explicitly block all wildcard certificates while still allowing standard ones.
Related Tools
View All Tools →Related Tools
Global Infrastructure Verification
Verify SSL certificates, DNS records, and connectivity from 6+ regions worldwide. Get automated monitoring, expiry alerts, and full API access.