CAA record lookup

CAA (Certification Authority Authorization) tells which CAs are allowed to issue certificates for your domain. Required check for all public CAs since 2017 (CA/Browser Forum mandate).

advanced CAA

How to look it up

Four ways to query — pick by what's available on your machine.

digdig CAA example.com +short

dotdigdotdig caa example.com

Sample response

0 issue "letsencrypt.org"
0 issuewild ";"
0 iodef "mailto:security@example.com"

Format

Format: `<flags> <tag> <value>`. Common tags: `issue` (allowed CA), `issuewild` (allowed wildcard CA, `;` = forbid), `iodef` (incident contact). Flags=0 normal, flags=128 critical.

Common pitfalls

WARNING: missing CAA = ALL CAs allowed. Adding CAA limits issuance, but if you forget to authorize Let's Encrypt before publishing, your renewals break.
CAA inheritance: CAA at `example.com` covers `mail.example.com` UNLESS the subdomain has its own CAA record (in which case parent is ignored).
`issuewild ";"` = no CA can issue a wildcard. Even if `issue "letsencrypt.org"` is set, wildcard requests are rejected separately.

Why it matters for security

security relevance CAA is the only DNS-level defense against unauthorized cert issuance. Without CAA, a compromised CA can issue your.com certs without your involvement.

Use cases

Restrict cert issuance to chosen CAs
Audit existing CAA before cert renewal
Block wildcard cert issuance
Set up incident-report contact (iodef)

Look up DNS without flag soup

dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.

Open dotdig

Related DNS lookups

SRV · TXT (SPF) · SOA · TXT