CAA Record Lookup
Check CAA records (certificate authority authorization) for any domain across 12 global resolvers. Free DNS checker.
What is a CAA record?
A CAA record ("certification authority authorization") tells certificate authorities (CAs) which of them are allowed to issue TLS certificates for a domain. Compliant CAs check CAA before issuance and refuse if they're not authorized. CAA is a defense against unauthorized certificate issuance.
When to check CAA records
- You're moving from one TLS provider to another (e.g., from Let's Encrypt to a paid CA) and want to confirm the new CA is allowed
- A certificate request is being rejected and you suspect CAA is the cause
- You're auditing a domain's certificate-issuance posture
FAQ
What does a CAA record look like?
CAA records have a flag (usually 0), a tag (issue, issuewild, or iodef), and a value. Example: 0 issue "letsencrypt.org" means only Let's Encrypt may issue certs for the domain.
Do I need a CAA record?
No — but you should consider one. Without CAA, any CA in any browser's trust store can issue a cert for your domain (assuming they validate ownership). CAA is a cheap, declarative restriction.
All record-type lookups
WhereIsDNS has dedicated pages for each common DNS record type. Each one defaults the tool to that record type and includes background on what the record means and what to look for.
- A Record Lookup — IPv4 addresses for a hostname
- AAAA Record Lookup — IPv6 addresses for a hostname
- CNAME Lookup — Aliases pointing one hostname to another
- MX Record Lookup — Mail servers for a domain (with priorities)
- NS Record Lookup — Authoritative nameservers for a domain
- TXT Record Lookup — SPF, DKIM, DMARC, and other text records
- SOA Record Lookup — Authority metadata for a DNS zone
- PTR (Reverse DNS) Lookup — Reverse DNS — IP back to a hostname
- Home (defaults to A records)