CAA Record Checker
Check which Certificate Authorities are allowed to issue certificates for a domain — and whether CAA records are set at all.
Queries public DNS only.
CAA limits who may issue. Monitoring catches who did.
CAA records reduce the risk of unauthorised issuance, but they don't tell you when a certificate is actually issued. CertControl watches Certificate Transparency logs and alerts you to certificates on your domains that you didn't order.
See certificate monitoring →What CAA records do
A CAA (Certification Authority Authorisation) DNS record lists the Certificate Authorities permitted to issue certificates for your domain. A compliant CA must refuse issuance if it isn't listed, which narrows the attack surface for mis-issuance. No CAA record means any public CA may issue — so adding one is a quick, high-value hardening step.
What happens if I have no CAA record?
Any publicly trusted Certificate Authority may issue certificates for the domain. Adding a CAA record that lists only the CAs you actually use is a quick, high-value way to reduce the risk of mis-issuance.
Does a CAA record stop mis-issuance entirely?
No. CAA binds only compliant CAs, which must refuse to issue if they are not listed; it does not catch a CA that ignores the record or a key that has already been compromised. Pair it with Certificate Transparency monitoring to detect certificates that were actually issued.
How do I add a CAA record?
Publish a CAA record at your domain's apex, for example
example.com. IN CAA 0 issue "letsencrypt.org". Add one issue entry
per CA you use, and an iodef entry to receive reports of refused issuance
attempts.