ProbeOps
HomeToolsServicesPricingDownloadsHorizonAboutContact Us
Login/Sign Up

About CAA DNS Record Lookup

Query DNS CAA records to verify which certificate authorities are authorized to issue SSL/TLS certificates for your domain.

CAA DNS Record Lookup is a specialized version of the DNS Lookup tool, focused on caa, ssl, certificate.

Key Features

  • Multiple record types (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA)
  • Multi-region DNS resolution
  • Propagation checking
  • TTL information
  • Reverse DNS lookup

How CAA DNS Record Lookup Works

ProbeOps CAA DNS Record Lookup tests from 6 global locations to provide comprehensive results. When you run a check, our probe nodes in US East (Virginia), US West (Oregon), EU Central (Helsinki), AP South (Mumbai), CA Central (Canada), AP Southeast (Sydney) simultaneously query the target to identify regional differences and ensure global accessibility.

Results are returned in real-time with detailed breakdowns per region, allowing you to identify location-specific issues that might affect your users in different geographic areas.

Common Use Cases

  • Verify DNS propagation after making changes
  • Check email authentication records (SPF, DKIM, DMARC)
  • Troubleshoot domain resolution issues
  • Validate CDN and load balancer DNS configuration

Related Tools

You might also find these ProbeOps tools useful for your diagnostics:

API Access

All ProbeOps tools are available via REST API for automation and integration. The CAA DNS Record Lookup can be called programmatically from your applications, CI/CD pipelines, or monitoring scripts. See our API documentation for integration guides.

Pricing

CAA DNS Record Lookup is available on all ProbeOps plans including our free tier. Free users get 100 probes per month with access to 2 regions. Paid plans starting at $19/month include unlimited regions and higher limits. See pricing details.

CAA DNS Record Lookup

Query DNS CAA records to verify which certificate authorities are authorized to issue SSL/TLS certificates for your domain.

Quick select:
What This Checks
Multiple record types (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA)Multi-region DNS resolutionPropagation checkingTTL informationReverse DNS lookup

About DNS Lookup

Complete DNS lookup tool that queries A, AAAA, MX, TXT, NS, CNAME, and other DNS record types from multiple global DNS servers.

Key Features

Multiple record types (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA)

Multi-region DNS resolution

Propagation checking

TTL information

Reverse DNS lookup

Also Available via API & MCP Server

Automate dns lookup checks in your CI/CD pipelines or run them directly from your AI coding agent.

REST API

Single endpoint, JSON response. Integrate into any language or platform.

cURL

curl -X POST https://probeops.com/api/v1/run \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"tool": "dns_lookup", "target": "example.com"}'
Learn more about the API

MCP Server

Works with Claude Code, Cursor, Windsurf, and any MCP-compatible IDE.

Claude Code

> Check the dns lookup for example.com

Claude uses the probeops_dns_lookup tool to run
the check from 6 global regions and returns
structured results.
Learn more about the MCP Server

CAA (Certification Authority Authorization) records are a DNS security control that specifies which certificate authorities are permitted to issue SSL/TLS certificates for your domain. Since 2017, all CAs are required to check CAA records before issuing certificates, making this a key defense against unauthorized certificate issuance.

Our CAA lookup tool queries your domain's CAA configuration from multiple global locations, helping you verify that your certificate authority restrictions are properly configured and consistently propagated. This is essential when troubleshooting SSL certificate issuance failures, auditing your domain's security posture, or ensuring that only your approved CAs can issue certificates.

If your SSL certificate request is being rejected, check CAA first, then verify your SSL certificate configuration and hostname coverage. For wildcard certificates, ensure your CAA includes the "issuewild" tag for your CA.

**Methodology:** CAA record queries from 6 regions showing authorized certificate authorities with issue/issuewild flags.

Common DNS Errors & How to Fix Them

4 relevant issues

What This Means

No CAA records are configured for this domain. While not an error per se, this means any certificate authority can issue SSL certificates for your domain, which may be a security concern.

How to Fix

1) Check current CAA: dig example.com CAA +short. 2) Add CAA in DNS panel: "0 issue letsencrypt.org" (for Let's Encrypt). 3) For notifications: "0 iodef mailto:security@example.com". 4) Verify propagation: dig @8.8.8.8 example.com CAA +short. Example for multiple CAs: add separate issue record for each.

caano caamissing caacertificate authority

What This Means

Your CAA records do not authorize the certificate authority you're trying to use. The CA is required to check CAA records and will refuse to issue if not listed.

How to Fix

1) Check existing CAA: dig example.com CAA +short. 2) Add your CA: "0 issue letsencrypt.org" (Let's Encrypt), "0 issue digicert.com" (DigiCert), "0 issue amazonaws.com" (ACM). 3) For wildcards: "0 issuewild letsencrypt.org". 4) Verify: dig example.com CAA. 5) Wait 5-10 min for propagation, retry cert issuance.

caablockednot authorizedissuance failedssl error

What This Means

The CAA record has an incorrect format. CAA records require a specific structure: flag, tag, and value. Common mistakes include wrong tag names or missing quotes around values.

How to Fix

1) Correct format: 0 issue "letsencrypt.org" (flag=0, tag=issue, value in quotes). 2) Valid tags: issue, issuewild, iodef. 3) Check current record: dig example.com CAA. 4) Common mistakes: missing quotes, typos in CA domain, using "issuer" instead of "issue". 5) Test after fix: dig @8.8.8.8 example.com CAA +short

caainvalidformat errorsyntax

What This Means

The domain name does not exist in DNS. This means no DNS records of any type were found for this domain.

How to Fix

1) Verify spelling: dig example.com ANY. 2) Check registration: whois example.com (look for "Status: active"). 3) Verify NS at registrar matches your DNS provider. 4) If recently registered, wait 24-48 hours and test with: dig @8.8.8.8 example.com

nxdomaindomain not foundno such domaindns lookup failed
See all DNS errors →

Frequently Asked Questions

4 relevant questions

CAA (Certification Authority Authorization) records specify which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Before issuing a certificate, CAs are required to check CAA records. For example, "0 issue letsencrypt.org" allows only Let's Encrypt to issue certificates. This prevents unauthorized certificate issuance, protecting against man-in-the-middle attacks where an attacker obtains a fraudulent certificate for your domain.

caasslsecurity

CAA records use three main tags: "issue" (allows a CA to issue standard certificates), "issuewild" (allows wildcard certificates), and "iodef" (email/URL for violation reports). A typical setup might include: "0 issue letsencrypt.org" for Let's Encrypt, "0 issue digicert.com" for DigiCert, and "0 iodef mailto:security@yourdomain.com" for notifications. If you use multiple CAs, add an issue record for each. Use "0 issue ;" to block all CAs if you don't use SSL.

caasslconfiguration

If your SSL certificate issuance fails with a CAA error, your CAA records don't authorize that certificate authority. Check your CAA records with a lookup tool—you'll see which CAs are allowed. Solutions: 1) Add a CAA record for your CA (e.g., "0 issue letsencrypt.org"), 2) Remove overly restrictive CAA records, or 3) Ensure there are no typos in CA domain names. Remember that CAA records are checked at the exact moment of issuance, so changes need time to propagate.

caassltroubleshooting

Wildcard certificate issuance requires the "issuewild" CAA tag, not just "issue". If you have "0 issue letsencrypt.org" but no issuewild record, Let's Encrypt can issue standard certificates but NOT wildcards. To allow wildcards, add "0 issuewild letsencrypt.org". If issuewild is absent, the CA falls back to checking the issue tag. Set "0 issuewild ;" to explicitly block all wildcard certificates while still allowing standard ones.

caasslwildcard
See all DNS FAQs →
DNS Propagation TroubleshootingStep-by-step guide with examples and troubleshooting tips

Related Tools

View All Tools →
Ssl CheckerIs It DownTraceroute

Related Tools

DNS LookupAll record types and full analysis
MX Record LookupCheck mail exchange records and verify email server configuration from multiple locations.
TXT Record LookupCheck TXT records for SPF, DKIM, DMARC, and domain verification from multiple locations.
NS Record LookupCheck nameserver records and verify authoritative DNS configuration from multiple locations.
CNAME Record LookupCheck CNAME aliases and verify subdomain configuration from multiple global locations.
Reverse DNS LookupLook up PTR records to find the hostname associated with an IP address. Essential for email deliverability.

Global Infrastructure Verification

Verify SSL certificates, DNS records, and connectivity from 6+ regions worldwide.

Get Started Free
Last updated: January 27, 2026