CAA Record Lookup Tool
CAA Lookup (Certification Authority Authorization) is a security tool used to verify which companies (Certificate Authorities) are allowed to issue SSL certificates for your domain.
Validate Certification Authority Authorization (CAA) records for any domain. Control which issuers are trusted to secure your website.
Type a domain to check DNS records.
What is a CAA Record?
CAA (Certification Authority Authorization) is a DNS record that allows a domain owner to specify which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for their domain. Published in RFC 6844, it became a mandatory check for all CAs in 2017, significantly enhancing the security of the public key infrastructure (PKI).
Without a CAA record, any trusted CA globally can issue a certificate for your domain as long as they verify ownership according to their standards. While this sounds fine, it introduces a "weakest link" problem. If a single, obscure CA with weak validation practices is compromised, they could issue a fraudulent certificate for your domain. CAA records solve this by narrowing the field of authorized issuers.
Preventing Mis-issuance and MitM Attacks
A CAA record acts as a high-level policy enforcement. If an unauthorized CA receives a certificate request for a domain that has a CAA record, they are forbidden from issuing that certificate.
"Think of it as a pre-approved list for your domain"s birth certificates. If a name isn"t on the list, the certificate isn"t legitimate."
The CA Verification Process
Decoding CAA Tag Types
Standard Issuance
Points to a specific CA (e.g., letsencrypt.org) that is authorized to issue both standard and wildcard certificates. This is the primary tag used for A/AAAA records.
Wildcard Specific
Specifically authorizes CAs for wildcard certificates (*.example.com). This tag takes precedence over "issue" for wildcards.
Incident Reporting
Specifies a URL where CAs should report policy violations. Use this alongside SOA contact info for full security monitoring.
How to Read a CAA Record
Flags (0-255)
Currently, only bit 0 (the "issuer critical" flag) is used. 0 means non-critical, 128 means critical.
Tag
The property name being defined (issue, issuewild, or iodef).
Value
The actual value for the tag, such as the CA domain or a reporting URL.
What does the Flag "128" mean?
The number at the beginning of the record (usually 0) is the flag field. If this is set to 128, it means the tag is "critical."
If a CA encounters a tag it doesn"t understand with the critical flag set, it must refuse to issue the certificate. If the flag is 0, the CA can ignore the tag if it remains unknown to their system. This ensures that future extensions to the CAA protocol won"t be accidentally bypassed by older CA systems.
Frequently Asked Questions
What happens if I have no CAA records?
If no CAA record is found, any Certificate Authority is allowed to issue certificates for your domain. This is the default state for most domains, but it is less secure than explicitly defining your trusted partners.
Can I specify multiple CAs?
Yes! You can have multiple CAA records. If you use both DigiCert and Let"s Encrypt, you should add an "issue" record for each. This allows either authority to fulfill your requests.
Does CAA affect existing certificates?
No. CAA records are only checked at the time of issuance or renewal. They do not invalidate certificates that have already been issued.
Defense in Depth
CAA is an essential part of a "Defense in Depth" security strategy. While not a silver bullet, it adds significant friction for attackers attempting to exploit the global trust system. Always pair CAA with active Certificate Transparency (CT) monitoring for the highest level of domain assurance.