DNSSEC & CAA Record Checker

Verify DNSSEC (DNS Security Extensions) and CAA (Certificate Authority Authorization) records for your domain. Ensure DNS security and control SSL/TLS certificate issuance.

Check your domain's DNS security configuration including DNSSEC validation and CAA records. Our comprehensive checker helps you protect against DNS attacks, verify cryptographic signatures, and control SSL/TLS certificate issuance for enhanced domain security.

Enter Domain Name

About DNS Security

DNSSEC: DNS Security Extensions add cryptographic signatures to DNS records to prevent DNS spoofing and cache poisoning attacks.

CAA Records: Certification Authority Authorization records specify which certificate authorities are allowed to issue certificates for your domain.

What is DNSSEC?

DNSSEC (DNS Security Extensions) is a suite of security protocols that adds cryptographic signatures to DNS records, ensuring the authenticity and integrity of DNS responses. It protects against various DNS-based attacks including cache poisoning, spoofing, and man-in-the-middle attacks.

Without DNSSEC, DNS responses can be easily forged, allowing attackers to redirect users to malicious websites. DNSSEC uses a chain of trust based on digital signatures to verify that DNS responses haven't been tampered with during transit.

How DNSSEC Works

Zone Signing: Domain owners sign their DNS records with a private key
Public Key Distribution: The corresponding public key (DNSKEY) is published in DNS
Chain of Trust: Each level delegates trust to the next through DS (Delegation Signer) records
Validation: Resolvers verify signatures using the chain of trust from the root zone
Authenticated Response: Users receive cryptographically verified DNS data

What are CAA Records?

CAA (Certification Authority Authorization) records allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for their domain. This prevents unauthorized or fraudulent certificate issuance, adding an extra layer of security to your domain.

Since September 2017, Certificate Authorities are required by the CA/Browser Forum to check CAA records before issuing certificates. If a CA is not authorized in your CAA records, they must refuse the certificate request.

CAA Record Format

A CAA record consists of three parts:

example.com. CAA 0 issue "letsencrypt.org"

Flags (0): Typically set to 0 (non-critical) or 128 (critical)

Tag (issue): Specifies the type of authorization:

issue - Authorize CA to issue any certificate
issuewild - Authorize CA to issue wildcard certificates
iodef - Specify URL/email for reporting violations

Value: The authorized CA domain or contact information

How to Use This Tool

Enter your domain: Type the domain name you want to check (e.g., example.com) without http:// or www
Initiate the check: Click "Check DNSSEC & CAA" to start the verification
Review DNSSEC status: The tool will verify if DNSSEC is properly configured and validated
Check CAA records: View which Certificate Authorities are authorized to issue certificates
Analyze results: Review any warnings or recommendations for improving your DNS security
Take action: Follow the suggestions to enhance your domain's security posture

Common CAA Record Examples

Allow Let's Encrypt to Issue Certificates

example.com. CAA 0 issue "letsencrypt.org"

This allows Let's Encrypt to issue any type of certificate (standard and wildcard) for your domain.

Allow Multiple Certificate Authorities

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issue "amazon.com"

You can have multiple CAA records to authorize different CAs. This is useful if you use different providers for different services.

Separate Wildcard Authorization

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "digicert.com"

This allows Let's Encrypt to issue regular certificates, but only DigiCert can issue wildcard certificates (*.example.com).

Prevent All Certificate Issuance

example.com. CAA 0 issue ";"

The semicolon value prevents any CA from issuing certificates. Useful for parked domains or when you want complete control.

Include Incident Reporting

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"

The iodef tag specifies where CAs should report policy violations or unauthorized issuance attempts.

Understanding Your Check Results

✅ DNSSEC: Validated

Your domain has DNSSEC properly configured and the chain of trust is intact.

DNS responses are cryptographically signed and verified
Protected against DNS cache poisoning and spoofing attacks
Users can trust that DNS queries return authentic data
Meets modern security standards for DNS

⚠️ DNSSEC: Not Signed

DNSSEC is not enabled for your domain.

DNS responses are not cryptographically protected
Vulnerable to DNS spoofing and cache poisoning
Recommendation: Contact your DNS provider to enable DNSSEC
Implementation typically involves adding DS records at your registrar

✅ CAA Records: Configured

Your domain has CAA records specifying authorized Certificate Authorities.

Only authorized CAs can issue certificates for your domain
Protected against unauthorized or fraudulent certificate issuance
Reduces risk of man-in-the-middle attacks using rogue certificates
Shows which CAs are currently authorized

ℹ️ CAA Records: Not Found

No CAA records are configured (any CA can issue certificates).

Any Certificate Authority can issue certificates for your domain
Higher risk of unauthorized certificate issuance
Recommendation: Add CAA records to restrict certificate issuance
Start with your current CA (Let's Encrypt, DigiCert, etc.)

❌ DNSSEC: Validation Failed

DNSSEC is configured but validation is failing.

Chain of trust is broken or signatures are invalid
May cause DNS resolution failures for users with validating resolvers
Critical: This needs immediate attention
Check with your DNS provider to fix signing issues

Why DNSSEC and CAA Matter

🛡️ DNSSEC Benefits

Prevents DNS cache poisoning
Protects against man-in-the-middle attacks
Ensures DNS response authenticity
Required for DANE and other protocols
Increases user trust and security
Compliance with security standards

🔒 CAA Benefits

Control which CAs can issue certificates
Prevent unauthorized SSL/TLS issuance
Reduce phishing and impersonation risks
Compliance with industry best practices
Incident reporting for violations
Enhanced brand protection

How to Implement DNSSEC and CAA

Implementing DNSSEC

Check DNS provider support: Verify your DNS hosting provider supports DNSSEC (most major providers do)
Enable DNSSEC: Activate DNSSEC in your DNS provider's control panel
Get DS records: Your DNS provider will generate DNSKEY records and corresponding DS records
Add DS records to registrar: Copy the DS records to your domain registrar's DNSSEC settings
Wait for propagation: DNS changes can take 24-48 hours to fully propagate
Verify implementation: Use this tool or DNSViz.net to confirm DNSSEC is working
Monitor regularly: DNSSEC signatures expire and need regular maintenance

Implementing CAA Records

Identify your CAs: Determine which Certificate Authorities you currently use
Create CAA records: Add CAA records to your DNS zone for each authorized CA
Test before applying: Use CAA testing tools to verify syntax is correct
Start restrictive: Begin with specific CAs rather than allowing all
Add iodef record: Include an email or URL for incident reporting
Propagate changes: Allow time for DNS propagation (usually minutes to hours)
Verify configuration: Use this tool to confirm CAA records are readable
Update as needed: Modify CAA records when changing certificate providers

Troubleshooting Common Issues

DNSSEC Validation Failures

Expired signatures: RRSIG records have limited validity; ensure automatic re-signing is enabled
DS record mismatch: DS records at registrar must match DNSKEY records at DNS provider
Chain of trust broken: Parent zone may not be properly delegating to your zone
Algorithm issues: Some older algorithms are deprecated; use algorithm 13 (ECDSA P-256)
Provider migration: Changing DNS providers requires careful DNSSEC reconfiguration

CAA Record Problems

Certificate issuance failing: Ensure the CA you're using is authorized in your CAA records
Syntax errors: Verify CAA record format; quotes and spacing are important
Parent domain CAA: CAA records are inherited from parent domains if not set
Subdomain specific: You can override parent CAA for specific subdomains
CA name confusion: Use the CA's official domain (e.g., "letsencrypt.org" not "Let's Encrypt")

Frequently Asked Questions

Do I need both DNSSEC and CAA records?

They serve different purposes and are both recommended but not required. DNSSEC protects the authenticity of DNS responses, while CAA controls certificate issuance. Implementing both provides comprehensive domain security. DNSSEC is more technically complex but protects against DNS attacks, while CAA is simpler to implement and prevents unauthorized SSL certificate issuance.

Will DNSSEC break my website if misconfigured?

If DNSSEC is misconfigured (invalid signatures, broken chain of trust), users with validating DNS resolvers (like Google Public DNS, Cloudflare DNS) will not be able to resolve your domain at all. This is why it's critical to test DNSSEC thoroughly before enabling it in production. Most DNS providers offer testing environments, and tools like DNSViz can help you verify configuration before going live.

What happens if I don't have CAA records?

Without CAA records, any Certificate Authority can issue SSL/TLS certificates for your domain (after domain validation). While most CAs have stringent verification processes, CAA records provide an additional security layer that explicitly declares which CAs you trust. This is especially important for high-value domains or organizations concerned about fraudulent certificate issuance.

How often do DNSSEC signatures need to be refreshed?

DNSSEC signatures (RRSIG records) have expiration dates typically set 2-4 weeks in the future. Most modern DNS providers automatically re-sign your zone well before signatures expire, usually daily or weekly. You should monitor DNSSEC status regularly to catch any issues with automatic re-signing. Manual DNSSEC management is complex and error-prone, so using a provider with automatic signing is highly recommended.

Can I use CAA records with wildcard domains?

Yes, CAA records support wildcard certificates through the "issuewild" property. You can specify different CAs for regular certificates (issue) and wildcard certificates (issuewild). For example, you might allow one CA for standard certificates but restrict wildcard issuance to a more trusted CA. If no issuewild property is set, the issue property applies to both regular and wildcard certificates.

Does DNSSEC protect against DDoS attacks?

No, DNSSEC does not protect against DDoS (Distributed Denial of Service) attacks. In fact, DNSSEC can sometimes amplify DDoS attacks because signed DNS responses are larger than unsigned ones. DNSSEC protects the integrity and authenticity of DNS data, not availability. For DDoS protection, you need separate solutions like rate limiting, anycast routing, and DDoS mitigation services.

What's the iodef property in CAA records?

The iodef (Incident Object Description Exchange Format) property specifies where Certificate Authorities should report policy violations. You can provide an email address (mailto:security@example.com) or a URL (https://example.com/caa-report). If a CA detects a certificate request that violates your CAA policy, they should notify you at this address. This helps you detect unauthorized certificate requests or attempts to compromise your domain.

Do CAA records affect certificate renewal?

Yes, if you have CAA records, they must authorize your CA every time you renew or reissue certificates. If you switch to a different CA, you must update your CAA records first, then request the certificate. Some automated certificate renewal systems (like Certbot for Let's Encrypt) may fail silently if CAA records don't authorize the CA. Always ensure your CAA records include all CAs you plan to use.

Is DNSSEC required for my domain?

DNSSEC is generally not required by law or regulation for most domains, but it's considered a best practice for security. Some industries (banking, government, healthcare) may require or strongly recommend DNSSEC. Certain top-level domains (TLDs) like .gov strongly encourage or require DNSSEC. Even if not required, implementing DNSSEC protects your users and enhances your security posture.

Can I remove DNSSEC once enabled?

Yes, but you must follow the correct procedure to avoid breaking DNS resolution. First, remove the DS records from your domain registrar. Wait for the TTL to expire (usually 24-48 hours) to ensure the old DS records are no longer cached anywhere. Only then can you safely remove DNSSEC signing from your DNS provider. If you disable signing before removing DS records, DNSSEC validation will fail and users won't be able to resolve your domain.

Best Practices for DNS Security

🎯 Recommended Security Checklist

Enable DNSSEC: Implement with a provider that supports automatic key rotation and re-signing
Implement CAA records: Start restrictive and explicitly authorize only the CAs you use
Use modern algorithms: DNSSEC algorithm 13 (ECDSA P-256) is recommended for new deployments
Monitor regularly: Set up alerts for DNSSEC validation failures and certificate issuance
Document your configuration: Keep records of DS values, authorized CAs, and contact information
Test before production: Use DNSSEC testing tools and staging environments when possible
Plan for key rollovers: DNSSEC keys should be rotated periodically per security best practices
Include iodef in CAA: Always add an iodef property for incident reporting
Review after changes: Verify DNSSEC and CAA after any DNS provider migrations
Educate your team: Ensure staff understand DNSSEC and CAA implications for operations