CAA Record Checker
Checks Certification Authority Authorization (CAA) DNS records: which CAs can issue certificates, wildcard policy, iodef violation reporting. Flags missing CAA as high risk — any CA can issue certs without authorization.
How to Use CAA Record Checker
- 1Enter your domain name to look up its CAA records.
- 2CAA records control which Certificate Authorities can issue TLS certificates for your domain.
- 3The tool shows authorized CAs for regular and wildcard certificates, plus iodef violation reporting.
- 4Missing CAA records are flagged — any CA can issue certs for your domain without authorization.
Zenovay
Track your website performance
Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
What is a CAA record and why is it important?▾
A CAA (Certification Authority Authorization) DNS record (RFC 8659) specifies which Certificate Authorities are allowed to issue TLS/SSL certificates for your domain. Without CAA records, any of the hundreds of publicly trusted CAs can issue a certificate for your domain — if any CA is compromised or makes a mistake, an attacker could get a valid certificate. With CAA records, you restrict issuance to one or two CAs you trust. Major browsers enforce CAA during certificate issuance. CAA records are one layer of a defense-in-depth certificate security strategy.
What is the difference between issue and issuewild in CAA?▾
issue controls which CAs can issue regular DV/OV/EV certificates for your domain (e.g., example.com, www.example.com). issuewild controls which CAs can issue wildcard certificates (*.example.com). If you only have issue= records and no issuewild= records, the issue= records apply to wildcards too. If you want to block wildcard issuance entirely, add: "0 issuewild \";\"" — the semicolon in double-quotes means no CA is authorized. This prevents wildcard cert issuance even if someone compromises your CA.
What is iodef in CAA and should I use it?▾
iodef (Incident Object Description Exchange Format) tells CAs where to send reports when someone requests a certificate for your domain that violates your CAA policy. Format: "0 iodef \"mailto:security@yourdomain.com\"". This gives you an early warning if someone attempts to get an unauthorized certificate. Not all CAs send iodef reports, but major ones like Let's Encrypt, DigiCert, and Comodo support it. It's a free, low-noise security monitoring signal worth enabling.
Will CAA records break my current SSL certificate?▾
Adding CAA records will NOT affect your currently issued certificate — it only affects future certificate issuance. However, you need to ensure your current CA is listed before your cert expires. If you're using Let's Encrypt, add: 0 issue "letsencrypt.org". If Cloudflare manages your certs, add: 0 issue "letsencrypt.org" and 0 issue "pki.goog" (Google Trust Services, which Cloudflare also uses). Test CAA before your cert renewal date by checking which CA issues your current cert (see TLS Certificate Checker).
What is the flag value (0 or 128) in CAA records?▾
The flag is an 8-bit integer. Flag 0 is the standard value and means "non-critical" — CAs that don't understand a specific CAA tag should treat it as if it didn't exist. Flag 128 is "critical" — CAs that don't understand the tag MUST refuse to issue a certificate. In practice, flag 0 is used for all standard tags (issue, issuewild, iodef). Flag 128 would only be relevant for custom/experimental CAA tags, where you want to ensure non-compliant CAs refuse. Use flag 0 for all standard CAA records.