CAA Record Checker & Generator

CAA (Certificate Authority Authorization) is a DNS record type that allows domain owners to specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. This helps prevent unauthorized certificate issuance.

How this check works

This tool queries DNS CAA records for the domain and parses each record's flag, tag (issue, issuewild, iodef), and value fields per RFC 8659. It identifies which CAs are authorized, whether wildcard certificates are restricted, and whether incident reporting is configured.

Limitations: CAA records are advisory to certificate authorities during issuance — they do not prevent use of already-issued certificates. This tool checks the current DNS state only and cannot detect if a CA has ignored a CAA restriction. CAA inheritance from parent zones is not followed in this check.

CAA Record Tags

• issue — Specifies a CA authorized to issue certificates for the domain.
• issuewild — Specifies a CA authorized to issue wildcard certificates. Use issuewild ";" to deny all wildcard certs.
• iodef — Specifies a URL or email address for CAs to report policy violations.

Example CAA Records

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild ";"
example.com. CAA 0 iodef "mailto:[email protected]"

Why CAA Matters

Without CAA records, any trusted CA can issue a certificate for your domain. While CAs are required to check CAA records before issuing certificates (per CA/Browser Forum rules), the absence of CAA records means no restrictions are in place. Adding CAA records is a simple but effective security measure.

CAA and Certificate Transparency

CAA works alongside Certificate Transparency (CT) logs. CAA prevents unauthorized issuance proactively, while CT logs help detect any certificates that were issued despite CAA restrictions.