CAA Record Validator

#	Flags	Tag	Value	Normalized	Notes
{{ idx + 1 }}	{{ row.flags }}	{{ row.tag }}	{{ row.value }}	{{ row.normalized }}	{{ row.note \|\| '-' }}

#	Check	Status	Notes
{{ idx + 1 }}	{{ c.label }}	{{ c.status }}	{{ c.note \|\| '-' }}

#	Flags	Tag	Value	Notes
{{ idx + 1 }}	{{ row.flags }}	{{ row.tag }}	{{ row.value }}	{{ row.note \|\| '-' }}

Certificate Authority Authorization records are a way for a domain owner to state which certificate authorities are allowed to issue certificates for that domain. They help reduce surprise certificates and give you a clear policy signal before you request or renew a certificate for a new service.

You provide a domain name and the tool looks up the published authorization records, then it summarizes what it found and highlights patterns that can cause issuance to fail. It also points out missing best practices so you can tighten rules with confidence and document what you intended clearly.

A realistic use is an operations review before a migration where you want to ensure only your chosen certificate authority can issue for the new hostnames. If a record uses a critical flag with an unfamiliar tag, the tool warns that some issuers may refuse to proceed.

Treat the result as a policy check, not proof that a certificate exists or that an account is active, and avoid testing private internal domains if you do not want a third party resolver to see them.

Technical Details:

Certificate Authority Authorization (CAA) is a Domain Name System (DNS) record type that lets a domain publish certificate issuance permissions as a set of simple rule rows. Each row has an integer flags field, a tag that names the rule, and a value that carries an issuer domain, a reporting address, or parameters.

This validator measures what is published for the hostname you enter, then computes a normalized view so logically identical rows compare cleanly. It also evaluates a small set of safety checks and reports them as PASS, WARN, or FAIL to help you spot misconfigurations quickly.

The checks focus on outcomes that matter operationally, such as whether you have any issuer restrictions, whether wildcard issuance is explicitly controlled, and whether a critical flag is paired with an unknown tag. Values for issue and issuewild are normalized by lowercasing and sorting semicolon parameters, and iodef is checked for basic Uniform Resource Identifier (URI) syntax for mailto and https schemes.

Results are best read as a policy health signal rather than a guarantee of issuance. Different resolvers can return different answer sets during propagation, so recheck after changes and compare using the same resolver when you want like for like results.

Processing pipeline

Extract the hostname from a domain name, URL, or email style input.
Convert the hostname to ASCII using Internationalized Domain Names in Applications (IDNA) handling from the URL parser.
Query CAA via DNS over HTTPS (DoH) using the selected resolver or Auto.
Abort the DoH request after the configured timeout in milliseconds.
Parse each answer as flags, tag, and value, and mark malformed rows.
Normalize issue and issuewild values by sorting and lowercasing parameters.
Validate iodef values as mailto or https and record a note on failure.
Compute checks for unknown critical tags, issuer constraints, and duplicates.

Core rule checks

A row is treated as critical when bit 128 is set in the flags field. Unknown critical tags are highlighted because they can block issuance in some implementations.

critical = (f & 128) \neq 0

Symbols and units

Symbols used in parsing and checks
Symbol	Meaning	Unit or datatype	Source
`d`	Input hostname after extraction	string	Input
`d_ascii`	ASCII form of the hostname	string	Derived
`f`	CAA flags field	integer	Derived
`t`	CAA tag, lowercased	string	Derived
`v`	Raw CAA value after quote cleanup	string	Derived
`v_norm`	Normalized value used for comparisons	string	Derived
`TTL`	Time to Live reported by the resolver	seconds	Resolver
`T_query`	Measured lookup duration	milliseconds	Derived
`S`	Check status value	PASS, WARN, FAIL	Derived

Worked example

Suppose you paste https://Example.COM/login. The hostname extracted is example.com, then the DoH response returns these CAA answer rows.

0 issue "letsencrypt.org; ParamB=2; ParamA=1"
0 issuewild ";"
0 iodef "mailto:security@example.com"
128 unknown "value"

Normalization turns the first value into letsencrypt.org; parama=1; paramb=2, and the deny all issuewild row is labeled as a deny all directive.

The critical flag check is a bit test against 128.

128 & 128 = 128

Lookup time is rounded to the nearest whole millisecond.

round (42.6) = 43

In this example the unknown tag is marked as a FAIL because it is paired with a critical flag, while the iodef mailto value passes the basic syntax check.

Interpretation of statuses

Meaning of PASS WARN and FAIL statuses
Status	What it indicates	Suggested next step
PASS	The check found no immediate risk for the specific rule being tested.	Keep as is, and recheck after DNS changes propagate.
WARN	A best practice is missing or a duplicate is present after normalization.	Review for clarity and intent, then tighten if appropriate.
FAIL	A configuration may block issuance or carries an unsafe ambiguity.	Fix before requesting a certificate from a public issuer.

When values sit close to a decision boundary, treat WARN as a prompt to confirm intent rather than an error. Always resolve FAIL first because it can stop issuance entirely.

Parameters you can control

User controlled parameters and their effects
Parameter	Meaning	Unit or datatype	Typical range	Sensitivity	Notes
Resolver	Which DoH provider is queried for the record set	enum	Auto, Cloudflare, Google	Medium	Auto falls back only when the first request fails to fetch.
Timeout	Abort a single DoH request after this duration	milliseconds	0 to many	High	0 applies no extra abort timer beyond normal network behavior.
Builder preset	Suggested issuers used when drafting new CAA rows	enum	4 presets	High	Presets include Let's Encrypt, DigiCert, Google Trust Services, and Mixed.
Include issuewild	Whether the builder also drafts wildcard issuance rules	boolean	true or false	High	When omitted, wildcard behavior is left to issuer defaults.
Add deny all rows	Whether the builder adds value `;` to explicitly deny issuance	boolean	true or false	High	Adding both deny and allow rows can create conflicts.
iodef URI	Optional incident reporting address added to builder output	string	mailto or https	Low	Only basic syntax is checked when validating queried records.

Constants and preset values

Constants and preset issuer values used by the tool
Constant	Value	Unit	Source	Notes
Known tags	`issue`, `issuewild`, `iodef`	set	Constant	Unknown tags are flagged, and unknown critical tags are treated as failures.
Cloudflare DoH endpoint	`https://cloudflare-dns.com/dns-query`	URL	Constant	Used when the resolver is Cloudflare or Auto.
Google DoH endpoint	`https://dns.google/resolve`	URL	Constant	Used when the resolver is Google or as an Auto fallback.
Builder TTL	`3600`	seconds	Constant	Used only in the zone snippet template, not read from your DNS.
Preset issuers	Let's Encrypt uses `letsencrypt.org` for issue and issuewild. DigiCert uses `digicert.com` for issue and issuewild. Google Trust Services uses `pki.goog` for issue and issuewild. Mixed uses `letsencrypt.org` and `pki.goog` for issue, and `letsencrypt.org` for issuewild.	domains	Constant	Issuer domains are normalized to lowercase and stripped of a trailing dot.

Units, precision, and normalization

Heads‑up Lookup time is rounded with nearest millisecond rounding and reported as an integer.
TTL is taken from the first answer returned by the resolver and is shown in seconds when present.
Flags are parsed as base 10 digits, and the critical bit is tested with flags & 128.
Tags are lowercased for comparisons, and unknown tags are still shown as received.
For issue and issuewild, the issuer domain is lowercased and a trailing dot is removed.
Semicolon parameters are trimmed, lowercased, sorted lexicographically, and rejoined with ; .
Duplicate detection compares flags, tag, and normalized value case insensitively.

Validation rules and bounds

Validation rules extracted from the implementation
Field	Type	Min	Max	Step or pattern	Error text	Placeholder
Domain input	string	1	n	Accepts domain, URL, email, or mailto prefix, then extracts the hostname	`Domain is required.`	`example.com`
Resolver	enum	—	—	`auto`, `cloudflare`, `google`	—	—
Timeout	number	0	—	`step=100`	—	`3500`
CAA answer row	string	—	—	`^\\s(\\d+)\\s+([A-Za-z0-9-]+)\\s+(.)\\s*$`	`Malformed row`	—
iodef value	string	1	n	`mailto:` with `@` or a valid `https:` URL	`Invalid mailto URI`, `Invalid https URL`, `iodef must use https`	`mailto:security@example.com`

Inputs and outputs

Input and output formats produced by the tool
Input	Accepted families	Output	Encoding or precision	Rounding
Domain string	Hostname, URL, email address	CAA record rows with normalized view	text	Not applicable
DoH response	JSON answer array	Checks list with status and notes	text	Not applicable
Builder options	Preset selection and toggles	Zone snippet lines like `example.com. 3600 IN CAA 0 issue "issuer"`	text	Not applicable
Exports	Generated files and clipboard text	CSV tables, DOCX reports, and a JSON summary	JSON uses 2 space indentation	Query time rounded

Networking and storage behavior

Lookups are performed with fetch requests to the selected DoH endpoint, using an accept header of application/dns-json and a query that sets name, type=CAA, and ct=application/dns-json. The page keeps results in memory while you view them and resets state on each new validation run.

Performance and determinism

For n answer rows, parsing, normalization, and duplicate detection run in O(n) time with O(n) memory for the dedupe set. Given the same resolver response, the normalized record list and check outcomes are deterministic, but the resolver response itself can differ across providers and time.

Assumptions and limitations

Heads‑up The Auto mode only falls back to the second resolver when the first request fails to fetch.
TTL is shown only when the resolver provides it and only from the first answer entry.
The validator recognizes only issue, issuewild, and iodef as known tags.
Unknown non critical tags are still listed, and only unknown critical tags trigger a failure.
iodef validation is intentionally lightweight and does not fully validate mail addresses.
Parameter normalization can change the display order compared to the original DNS text.
Duplicate detection is based on normalized values, so cosmetic differences are treated as duplicates.
The deny all conflict check is implemented only for issue, not for issuewild.
Builder output uses flags 0 and does not attempt to set the critical flag.
The builder uses a fixed TTL of 3600 seconds in its snippet template.

Edge cases and error sources

Leading dots, trailing dots, and a final root dot are removed before querying.
Internationalized domains are converted to ASCII form by the URL parser when possible.
Email style inputs use the text after the last @ as the hostname.
URLs without a valid scheme are handled with a best effort split and can misparse unusual strings.
Resolvers can return an empty answer for a valid domain, which is reported as no records found.
Heads‑up Network errors and blocked fetch requests can look like missing records in the final message.
Timeout aborts are treated as fetch failures and can trigger the Auto fallback behavior.
Quoted answer data with multiple quoted segments is concatenated, which can surprise if quotes are meaningful.
Consecutive semicolons produce empty parameter segments that are discarded during normalization.
Flag values that are not digits cause parsing to fail and the row is marked malformed.
Non ASCII whitespace can survive trimming differently across environments and affect displayed values.
Very large answer sets are uncommon, but copying and exporting large tables can be slow.

Security considerations

CAA checks do not confirm certificate ownership, only published issuance policy.
Unknown critical tags can block issuance, but issuer handling can vary by implementation.
Do not paste secrets into the domain field, since it is intended for hostnames only.
If you work with internal hostnames, prefer a resolver and network path you trust.
Use deny all directives carefully, and avoid mixing deny and allow values accidentally.
After changing records, recheck from multiple networks if you suspect stale caches.

Scientific and standards references

Authoritative references include the IETF specification for Certificate Authority Authorization, the IETF specification for DNS over HTTPS, and the IANA registry of DNS record types.

Privacy and compliance

Lookup requests are sent from your browser directly to the selected resolver endpoint, and the page does not persist results to local or session storage.

Step-by-Step Guide:

Certificate Authority Authorization records tell you which issuers are permitted, and this guide walks you from a domain input to a clear PASS WARN FAIL summary you can act on.

Enter the Domain as an apex hostname, or paste a URL or email address to extract it.
Optionally choose a Resolver to compare results, or leave it on Auto.
Adjust Timeout if your network is slow, and set it to 0 to disable extra abort timing.
Select Builder preset to draft recommended issuer rows for your chosen certificate authority.
Run validation, then read the Checks tab and fix FAIL items first.
Use the Builder output as a starting point, and add deny all rows only if that matches your policy intent.

Example You enter mail@example.com and the hostname extracted is example.com. The result shows 2 records, 1 pass, 1 warn, and a TTL value from the resolver.

If the warn is about a missing issuewild policy, add an explicit wildcard rule when you want wildcard issuance constrained.

Recheck after making changes, since cached answers can linger until TTL expires.

If results look odd, switch resolvers to separate data issues from resolver behavior.

Keep deny all directives separate from permissive rules to avoid conflicts.

Pro tip: when debugging, run the same domain through two resolvers back to back and compare normalized values rather than raw text.

You should finish with a normalized record list and a small checklist you can use to update DNS confidently.

Troubleshooting:

Domain is required. Enter any hostname, or paste a URL or email so the hostname can be extracted.
No CAA records found. The domain may not publish CAA, or the resolver returned no answers for this type.
Timeouts. Increase the timeout, or set it to 0 to remove the extra abort timer.
Unexpected FAIL for unknown critical tag. Remove the critical flag or use a tag the issuer recognizes.
Duplicate logical entries. Remove redundant rows after normalization, especially when only spacing differs.
Deny all conflict. Do not combine issue ";" with permissive issue rows in the same set.

If your network blocks fetch requests to the resolver endpoints, validation cannot complete and you may see results that look like missing records.

Advanced Tips:

Tip Prefer explicit issue and issuewild rules to document intent for future changes.
Tip Use a single resolver while iterating, then cross check with a second resolver before rollout.
Tip Normalize values in your own zone file reviews so duplicates do not sneak in with formatting changes.
Tip If you need to deny issuance, add deny all rows only after confirming all required issuers are listed.
Tip Keep an incident mailbox ready for iodef, and review it periodically for routing changes.
Tip Capture the JSON summary when filing a ticket so others can reproduce the same check context.

Glossary:

CAA: Certificate Authority Authorization, a DNS rule set for certificate issuance.
Flags: Integer field where bit 128 marks a tag as critical.
Tag: Rule name such as issue, issuewild, or iodef.
issue: Lists which certificate authorities may issue non wildcard certificates.
issuewild: Lists which certificate authorities may issue wildcard certificates.
iodef: Reporting URI, accepted as mailto or https in this validator.
Normalization: Lowercasing and sorting parameters to compare logical equality.
TTL: Time to Live value returned by the resolver, in seconds.

FAQ:

Is my data stored?

The page keeps results in memory for display and export and does not write them to local or session storage. DNS lookups are sent to the selected resolver endpoint.

How accurate are results?

Accuracy depends on what the resolver returns at that moment and how caches and propagation behave. Compare using the same resolver when you want consistent snapshots.Treat TTL as a hint, since only the first answer TTL is shown.

What formats are supported?

Inputs accept a hostname, a URL, an email address, or a mailto prefix, and the hostname is extracted. Outputs include tables of records and checks, a builder snippet, and a JSON summary.

Does it work offline?

Record validation requires network access because it queries a DNS over HTTPS resolver. Builder output is generated locally from the preset and your inputs once the page is loaded.

What does it cost?

This package does not display pricing or subscription details. If you need licensing information, follow the policy of the site that provides this page.

How do I validate a CSR?

A certificate signing request is not validated here. This utility checks CAA DNS records and drafts CAA rule rows, so use a dedicated CSR parser for request inspection.

What does a borderline result mean?

WARN is the borderline case, and it usually means a best practice is missing, a duplicate exists after normalization, or a policy choice is not explicit. FAIL signals a stronger risk that can block issuance.