Diagnostic suite · live

CAA Lookup

Certificate Authority Authorization — see exactly which CAs are allowed to issue TLS certs for a domain, including inherited parent policies.

About the CAA Lookup Tool

The CAA Lookup tool queries the Certification Authority Authorization records (RFC 8659) published in DNS for a domain. CAA records tell public certificate authorities which CAs are actually allowed to issue TLS/SSL certificates for a hostname — and, just as important, they let a domain owner block every other CA in the world with a single DNS record. Every publicly-trusted CA is required to check CAA before issuing, so a correct CAA policy is one of the cheapest, highest-leverage controls you can add against unauthorized certificate issuance.

This tool resolves both the exact label you enter and any inherited policy from parent labels (as required by the CAA lookup algorithm), so you see the effective policy a CA would actually enforce. We surface issue and issuewild tags, iodef reporting endpoints, the critical flag, and highlight whether a record has an empty value — the special form that means 'no CA may issue'. If the domain has no CAA record at all, we flag the wide-open state so you know any public CA can currently issue.

Use CAA Lookup before requesting a new certificate, when investigating certificate mis-issuance in a Certificate Transparency alert, when migrating between CAs (Let's Encrypt, DigiCert, Sectigo, GlobalSign, Google Trust Services, ZeroSSL, Amazon), or as part of a security-headers audit alongside our HSTS and Security Headers Grader. Combine with our CT Search to see every certificate that has actually been issued for the domain — the definitive complement to a CAA policy.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Resolves CAA on the exact label and every parent label
  • Parses issue, issuewild, and iodef tags with the critical flag
  • Flags 'any CA can issue' when no CAA is published
  • Runs over DoH — no dig, no client-side DNS cache
  • Pairs with CT Search and SSL Checker for a full TLS audit
Related searches: caa record · certificate authority authorization · check caa dns · caa lookup online · letsencrypt caa · dns caa policy

Frequently asked questions

A CAA (Certification Authority Authorization) record is a DNS record that lists which certificate authorities are allowed to issue TLS certificates for the domain. Publicly-trusted CAs must check CAA before issuing under the CA/Browser Forum baseline requirements.