CAA Lookup

CAA Lookup

CAA (Certification Authority Authorization) Lookup is a tool that allows you to check the CAA records of a domain. CAA records are DNS records that specify which certificate authorities (CAs) are authorized to issue SSL/TLS certificates for that domain. By using CAA Lookup, you can ensure that only trusted CAs are issuing certificates for your domain. This helps prevent unauthorized certificate issuance and enhances the security of your domain. The tool provides a simple and efficient way to verify the CAA records associated with your domain name, ensuring that your domain is protected from unauthorized certificate issuance.

Frequently Asked Questions

Find answers to the most commonly asked questions below.

What is a CAA record?

A CAA (Certification Authority Authorization) record is a type of DNS record that specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for a domain.

Why is checking CAA records important?

Unauthorized CAs cannot issue certificates for your domain, so CAA records improve domain security. It lowers the chance of a certificate being issued incorrectly.

Is CAA concerned about expiring certificates?

No, CAA records have no effect on expired or previously issued certifications.

What information is shown in a CAA Lookup result?

  • Flag: Default value is 0. Setting it to 1 may disable validation if the tag is unrecognized by the Certificate Authority (CA).
  • Tags: Examples include issue, issuewild, and iodef.
  • Value:The domain name of an authorized CA

What are the common CAA tags?

  • issue: Specifies a CA that can issue certificates for the domain.
  • issuewild: Specifies a CA that can issue wildcard certificates for the domain.
  • iodef: Specifies a URL or email address to report certificate issuance issues.

What happens if no CAA record is present?

A domain can have an SSL/TLS certificate issued for it by any Certificate Authority (CA) if there is no Certification Authority Authorization (CAA) record for it.

Can CAA records be used with subdomains?

CAA records set policies for the entire domain and automatically apply to all subdomains unless a specific CAA record is defined to override the policy at the subdomain level.

Are CAA records mandatory?

No, CAA records are not mandatory, but they are highly recommended to protect against unauthorized certificate issuance.