CAA record lookup: check certificate authority records
TL;DR. CAA records restrict which Certificate Authorities are allowed to issue TLS certificates for your domain. CAs are required by the CA/Browser Forum baseline requirements to honour CAA.
How the CAA record works
Setting CAA to letsencrypt.org alone protects you against rogue issuance from compromised registrars. Pair CAA with DNSSEC for end-to-end integrity of the policy. A CAA record check across global resolvers confirms every CA worldwide sees the same issuance policy before you rely on it.
Example CAA record
example.com. 3600 IN CAA 0 issue "letsencrypt.org"Check a CAA record live
Run the multi-resolver probe → and confirm propagation of your CAA record across 12 global resolvers in real time.
Reference
Spec: RFC 8659.
CAA record FAQ
How do I check a CAA record? →
Run a probe in dnsprobe and we query the CAA record from 12 global resolvers, so you can confirm your certificate-authority policy is published consistently before requesting a cert.
Do I need a CAA record? →
A CAA record is optional but recommended. Without one, any CA may issue for your domain. With one, only the CAs you list can issue, reducing the blast radius of a registrar or DNS compromise.
Why is my certificate issuance failing? →
If your CAA record does not list the CA you are using, issuance is refused. A global CAA check confirms whether every resolver returns a policy that permits your chosen CA.