issue
The issue tag defines which certificate authorities are allowed
to issue regular certificates for the domain.
DNS · CAA · Certificates
CAA check
Check a domain’s CAA records and see which certificate authorities are allowed to issue TLS/SSL certificates for the domain.
Enter only the domain name, for example domain.com, without
the https:// prefix.
Enter a domain and start the check.
Guide · CAA records
What does this CAA check do?
The CAA check shows whether a domain has published Certificate Authority Authorization records. With CAA records, a domain owner can define which certificate authorities are allowed to issue TLS/SSL certificates for the domain.
issuewild
The issuewild tag defines which certificate authorities are
allowed to issue wildcard certificates.
iodef
The iodef tag can define an address where a certificate authority
may report CAA policy issues.
Inheritance
If a subdomain does not have its own CAA records, the policy can be inherited from a parent domain.
Why does CAA matter?
CAA gives the domain owner additional control over which certificate authorities may issue certificates for the domain. It does not replace DNSSEC, TLS configuration or certificate management, but it reduces the risk of an unexpected certificate being issued by the wrong authority.
CAA is especially useful when an organization uses only selected certificate authorities, such as Let’s Encrypt, DigiCert, Google Trust Services or another chosen certificate provider.
How to interpret the result
If CAA records are found, the result shows which domain they were found on and which certificate authorities they allow. If no CAA records are found, the website usually still works, but the domain is not restricting certificate issuance with CAA.
The value issue ";" means that regular certificate issuance is forbidden.
The value issuewild ";" means that wildcard certificate issuance is
forbidden. These settings can be intentional, but they can also prevent certificate
renewal if used incorrectly.
Frequently asked questions
Is CAA required?
No. A domain can work without CAA records, but CAA gives additional control over which certificate authorities may issue certificates.
Can CAA prevent certificate renewal?
Yes. If CAA allows only one certificate authority but the active certificate service uses another, certificate issuance or renewal can fail.
Does CAA require DNSSEC?
CAA works without DNSSEC, but DNSSEC improves trust in DNS responses and complements DNS-based security mechanisms.