ToolBelt

CAA Record Validator

Validate CAA DNS record syntax (flag, tag, value).

Open tool

Overview

The CAA record validator checks the syntax of a DNS Certification Authority Authorization record — the flag, tag, and value triplet that tells public certificate authorities which of them are permitted to issue certificates for your domain. Paste a record as it would appear in your zone file and the validator confirms it is well-formed before you publish it.

Domain administrators rolling out a new CA, security teams enforcing certificate issuance policy, and DNS engineers debugging why Let's Encrypt suddenly fails all benefit from a CAA syntax check. Long-tail keywords covered: validate CAA record syntax online, what does CAA flag 0 vs 128 mean, and check issue / issuewild / iodef tags.

How it works

CAA is defined in RFC 8659. Each record has three fields: an unsigned 8-bit flag (only the high bit, value 128, is currently meaningful and marks the property as "critical"), a tag that names the property, and a quoted value. The three standard tags are issue (which CAs may issue any certificate), issuewild (which CAs may issue wildcard certs), and iodef (where to send violation reports).

Issuance is governed by the CA/B Forum Baseline Requirements. Before a public CA issues a certificate, it must look up the CAA record for the FQDN, walk up the DNS tree if no record exists, and refuse issuance if a record names a different CA. A missing CAA record means "any CA may issue" — restricting issuance is opt-in.

Examples

  • 0 issue "letsencrypt.org" — only Let's Encrypt may issue any certificate for the name.
  • 0 issuewild ";" — wildcard issuance is forbidden by every CA.
  • 0 iodef "mailto:security@example.com" — CAs report violations to this email address.
  • 128 issue "digicert.com" — DigiCert is permitted, and the critical flag forces unknown CAs to refuse rather than ignore the record.

FAQ

Do I need a CAA record?

No, it is optional. But without one, any publicly trusted CA may issue a certificate for your domain — including one obtained by an attacker who briefly controls your DNS or email.

Does CAA apply to subdomains?

Yes. CAs walk up the tree, so a record at example.com covers foo.example.com unless foo has its own record. The closest record wins.

How fast do CAA changes take effect?

As soon as authoritative DNS is updated and any prior cached lookup expires — typically minutes, capped by your TTL.

Can I name multiple CAs?

Yes. Publish one record per allowed CA. They are additive: any listed CA may issue.

Try CAA Record Validator

An unhandled error has occurred. Reload ×