SSL Monitoring Ping Monitoring Port Monitoring Domain Monitoring TCP Monitoring Keyword Monitoring Cron Monitoring API Monitoring SLA Monitoring
Status Pages Status Badges Is Website Down? API MCP Server
For SaaS Teams For Agencies For E-commerce For DevOps For Startups For Hosting Providers For Developers
<- Back Home Pricing Status Pages Status Badges API MCP Server Is Website Down? Website Errors Free Tools

Free DNS tool

CAA Record Lookup

See which certificate authorities may issue SSL certificates for a domain, and find the CAA rule blocking a failed request.

Try , ,

Lookups run in your browser over Google public DNS-over-HTTPS (Cloudflare as fallback). Nothing you enter is sent to Pulsetic.

A CAA record guards who can issue your certificate; it does not tell you when it expires. Pulsetic watches your SSL certificate and warns you before it lapses.

What is a CAA record?

A CAA (certification authority authorization) record lists which certificate authorities are permitted to issue SSL/TLS certificates for your domain. Before issuing, a compliant authority must check the CAA record and refuse if it is not on the list.

A typical value is 0 issue "letsencrypt.org". The issue tag covers normal certificates, issuewild covers wildcards, and iodef gives an address where an authority can report a policy violation.

When CAA records matter

If a certificate request keeps failing with a CAA error, this lookup shows why: the authority you are using is not authorized, or no CAA record exists at the level being checked. Adding the right issue value fixes it.

CAA is checked at the exact name and walks up the tree, so a record on example.com also governs sub.example.com unless a closer record overrides it. Leaving CAA empty means any public authority may issue, which is permissive but valid.

CAA tags: issue, issuewild and iodef

A CAA record is built from tags. The issue tag authorizes an authority to sign normal certificates, for example 0 issue "letsencrypt.org". The issuewild tag does the same for wildcard certificates, and when it is absent the issue rules apply to wildcards too. The iodef tag gives a contact, such as a mailto address, where an authority can report a request that breaks your policy.

The number in front is the flags byte: 0 is normal, and 128 marks the tag critical, meaning an authority that does not understand it must refuse to issue. To allow several authorities, publish several issue records. To block every authority, publish issue ";" which authorizes none.

Look it up from the terminal

Prefer the command line? These return the same records this tool shows:

dig example.com CAA +short nslookup -type=CAA example.com

Every DNS record type

What each record does. Each one has a dedicated lookup in the tabs above.

RecordWhat it doesExample value
A Maps a domain to an IPv4 address. example.com → 93.184.216.34
AAAA Maps a domain to an IPv6 address. example.com → 2606:2800:220:1::
CNAME Points one name at another name, as an alias. www → example.com
MX Names the mail servers that accept email for the domain, each with a priority. 10 mail.example.com
TXT Holds free-form text, used for SPF, DKIM, DMARC and domain verification. v=spf1 include:_spf.google.com ~all
NS Lists the authoritative name servers for the domain. ns1.example.com
SOA Start of authority: the primary name server and the zone refresh, retry and expiry timers. ns1.example.com . 2026010101
PTR Reverse record: maps an IP address back to a host name. 34.216.184.93.in-addr.arpa
SRV Locates the host and port for a specific service. _sip._tcp → 5060 sip.example.com
CAA States which certificate authorities may issue SSL certificates for the domain. 0 issue "letsencrypt.org"

Frequently asked questions

  • What is a CAA record?

    A CAA record names the certificate authorities allowed to issue SSL certificates for your domain. Authorities are required to honor it, so it is a guard against unauthorized or mistaken certificate issuance.

  • Why is my SSL certificate request failing with a CAA error?

    It means the authority you are requesting from is not listed in your CAA record, or a record higher up the tree blocks it. Add an issue value for that authority, or remove the conflicting record, then retry.

  • Do I need a CAA record?

    No. With no CAA record, any publicly trusted authority may issue certificates for your domain, which is valid. Adding one tightens control by restricting issuance to the authorities you actually use.

  • What is the difference between issue and issuewild?

    The issue tag authorizes ordinary certificates for a name, while issuewild authorizes wildcard certificates. If issuewild is absent, the issue rules apply to wildcards too.

Stay online, all the time, with Pulsetic's uptime prime.

By Designmodo

Designmodo Inc. 169 Madison Ave, #79627, New York, NY 10016, United States

Copyright © 2010-2026

Hey there 👋  Friends from designmodo are here to help!
More Products Start a Chat...