DNS CAA Record Lookup

Enter a domain name to retrieve its CAA (Certification Authority Authorization) records and ensure your SSL/TLS certificates are managed according to your security policies.

What is the CAA Records?

A CAA (Certification Authority Authorization) record is a type of DNS (Domain Name System) record. It helps domain owners control which Certificate Authorities (CAs) can issue SSL/TLS certificates for their domain. This is important for securing websites because SSL/TLS certificates enable HTTPS, which encrypts data between the user and the website. Here's how it works:
  1. Domain Owner's Choice: The domain owner decides which CAs they trust to issue certificates for their domain. They add CAA records to their DNS settings specifying these trusted CAs.
  2. CA Check: Before issuing a certificate, a CA will check the CAA records for the domain. If the CA is listed in the CAA record, they can issue the certificate. If not, they cannot.
  3. Improved Security: This system helps prevent unauthorized CAs from issuing fake certificates, which could be used in phishing attacks or other malicious activities.

CAA Record Example

Here are some examples of CAA records. For SSL certificates bought from Gandi, you would use these lines:
@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issuewild "sectigo.com"
You can also allow more than one CA to issue certificates for your domain. For example:
@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issue "letsencrypt.org"

What are the CAA Record Values?

When adding CAA records, here is what each part means:
  • Type: CAA specifies that this record type tells which CA is allowed to issue an SSL certificate for the domain.
  • TTL: This is how long (in seconds) before the record is checked again to see if it has changed. The default is 10800 seconds (3 hours).
  • Name: Leave this empty (@) if it is for the main domain. If it is for a subdomain, put the subdomain name here.
  • Flags: The default is 0. If you put 1, it means the validation will fail if the CA does not recognize the tag.
  • Tag: This shows what the record is about:
    • issue: This CA can provide a certificate for the domain.
    • issuewild: This CA can provide wildcard certificates (covering all subdomains) for the domain.
    • iodef: This is a URL where the CA can send error messages.