wiredepth
Run a check

Free tool · Cert governance

CAA record checker

CAA (Certificate Authority Authorization) records tell certificate authorities which CAs are allowed to issue certs for your domain. Without CAA, any of ~80 trusted CAs can mint a working cert in your name. Paste any domain, see what's published. Plus a generator on /caa-generator for the records you should publish.

What this tool checks

CAA records are a defense against certificate misissuance: a malicious or compromised CA producing a working TLS cert in your name. Real-world examples: WoSign + StartCom misissued certs for github.com in 2016. Symantec misissued ~150 certs through partner CAs. DigiNotar was compromised in 2011 + issued certs for every major web property before being de-trusted.

Three tag types matter: issue (CAs allowed for ordinary certs), issuewild (CAs allowed for wildcards - separate from issue), and iodef (a reporting endpoint - mailto: or HTTPS URL - that CAs notify when they reject an unauthorized issuance attempt; early-warning signal for credential theft + targeted attacks).

How to read the results

Verdict tiers:

  • CAA configured: at least one issue record restricting to specific CAs. Cert-misissuance surface narrowed from ~80 CAs to whatever you listed.
  • CAA partial: records exist but cover only part of the surface (e.g., issuewild without issue, or empty issue records that block all renewals).
  • CAA missing: no records published. Any CA can issue. Industry default; not a vulnerability by itself but worth fixing for high-value domains.

Frequently asked questions

Will publishing CAA break my existing certs?

No - CAA checks happen at ISSUANCE time, not validation. Existing certs continue to work; only future issuance is gated. The trap: if your renewal CA isn't in the CAA list, the next renewal fails silently and you don't notice until the cert expires. Always add all CAs you currently use (including those for backup / DR sites) before publishing.

What CAs should I list?

Whatever you actually use. Common combos: Let's Encrypt (free, automated) + a paid CA (DigiCert / Sectigo) for EV. AWS-deployed: include amazon.com (ACM). GCP-deployed: include pki.goog. Cloudflare-fronted: include cloudflare.com. The generator on /caa-generator has presets.

Do I need both issue and issuewild?

If you don't issue wildcards, no - the absence of issuewild means wildcards follow the issue rules. If you DO issue wildcards, an explicit issuewild record is clearer to auditors + lets you allow different CAs for wildcards than for ordinary certs (e.g. Let's Encrypt for ordinary, DigiCert for wildcards).

What does the iodef record do?

When a CA tries to issue a cert against your CAA policy, RFC 8659 says they SHOULD report the attempt to your iodef endpoint. In practice: Let's Encrypt + DigiCert + Sectigo + a few others honor iodef; many other CAs do not. Still worth adding - the ones that do honor it catch the kind of targeted attacks where you want notification.

Why does my domain show CAA missing even though my registrar shows records?

CAA records have to be at the EXACT zone level being requested. If your registrar publishes CAA for example.com, then ordinary cert issuance for example.com is restricted. But cert issuance for subdomain.example.com walks UP the tree (subdomain.example.com → example.com → com) and CAA is only checked if found - so the apex record does cover subdomains by default. Verify the records are at the apex, not a subdomain.

Related free tools

CAA record generator

Pick CAs from a preset list, get publish-ready BIND-format records.

TLS / SSL check

Cert chain, expiry, protocols. Pairs with CAA for full cert governance.

DNSSEC checker

Validates your DNS chain so CAA records can't be tampered with.

DNS health

Full DNS posture: SOA, NS, MX, registrar expiry.