What this check shows
CAA records let a domain owner restrict which certificate authorities may issue certificates. They can also define wildcard policies and incident-reporting contacts.
Comparing CAA responses helps verify policy changes before requesting or renewing a certificate.
When to use it
- Certificate authority migrations
- Restricting certificate issuance
- Diagnosing failed certificate orders
- Checking wildcard certificate policy
How to read the result
- The issue tag applies to ordinary certificates while issuewild controls wildcard certificates.
- Certificate authorities walk up the DNS hierarchy when no CAA record exists at the exact hostname.
- An incorrect or stale CAA policy can prevent a legitimate certificate order.
Questions
Is CAA required for HTTPS?
No. It is an optional control that restricts certificate issuance when present.
Why can a parent-domain CAA record affect a subdomain?
Certificate authorities search parent labels when the queried hostname does not publish its own CAA policy.
Related DNS tools
Compare DNS answers worldwide after a record, provider or nameserver change.
Check published IPv4 addresses for a domain across independent DNS resolvers.
Check IPv6 addresses and AAAA record propagation across public DNS resolvers.
Verify canonical name aliases and CNAME propagation across DNS resolvers.
Validate mail server propagation, hostnames and MX priorities worldwide.
Inspect SPF, DKIM, DMARC, ownership verification and other TXT records.