CAA records restrict which certificate authorities are allowed to issue certificates for a domain. They help prevent unauthorized issuance and give domain owners more control over TLS certificates. A CAA lookup lets you confirm which CAs are permitted and whether contact or reporting directives are present.
Common issues include forgetting to include the CA you use, misconfiguring the issuewild directive for wildcard certificates, or publishing conflicting CAA entries. If a CA is not listed, certificate issuance may fail. This lookup helps confirm the policy before renewal or rollout.
If you need related checks, try SSL/PKI DNS check validator and TLSA record DNS lookup.
issue controls normal certificates, while issuewild applies specifically to wildcard certificates. If issuewild is absent, issue may apply to both depending on CA behavior.
iodef provides a reporting URI for CAA violations. It is optional but useful for monitoring unexpected issuance attempts.
The CA you used may not be authorized by your CAA policy. Update CAA to include the correct CA or adjust your provider.
Yes. CAA policies are inherited down the domain tree unless overridden by a more specific record.
Yes. You can publish multiple issue directives to allow more than one CA.
CAA is subject to normal DNS caching. Allow for TTL propagation before retrying issuance.