SSL/PKI DNS Check Tool

Verify your complete SSL/TLS security stack (CAA, TLSA, and DNSSEC) instantly to troubleshoot certificate issuance and DANE validation.

How to troubleshoot SSL/TLS issuance and DANE errors

If your auto-renewing SSL certificate (like Let's Encrypt) suddenly fails, or strict mail servers refuse to deliver emails to your domain over TLS, your DNS-based PKI (Public Key Infrastructure) configuration might be misconfigured. Enter your domain, port, and protocol above to run a comprehensive check on the three pillars of DNS security.

Interpreting your SSL/PKI DNS results

  • CAA (Certificate Authority Authorization): If your CA is failing to issue a certificate, check the CAA results. If a record exists but your CA (e.g., letsencrypt.org) is not explicitly listed, they are legally blocked from issuing the SSL certificate.
  • TLSA (DANE Bindings): If the TLSA hash does not match your current live certificate, clients enforcing DANE will reject the connection as a potential Man-in-the-Middle attack. Always update TLSA hashes before installing a new certificate.
  • DNSSEC (Chain of Trust): DNSSEC must return a valid, signed chain. If DNSSEC is broken (resulting in a SERVFAIL) or simply disabled, your TLSA records become invalid, as DANE strictly requires a cryptographically secure DNS response.

Related tools

Check CAA record online Check TLSA record online DNSSEC lookup check tool DNS propagation check check tool