IP Network IconIP.network

Certificate Policy DNS

CAA-Validator

Validate and generate CAA records for Let’s Encrypt, DigiCert, wildcard issuance, and incident reporting so certificate policy is explicit before you publish it.

Record Validation

Checks CAA flags, tag semantics, and common operational mistakes.

Zone Output

Generates a ready-to-publish zone-file line for BIND or PowerDNS workflows.

Provider-Friendly

Shows Cloudflare-style flag, tag, and value fields for quick copying.

Presets

Use issue for normal certificates, issuewild for wildcard-only authorization, and iodef for incident reports.

Verdict

CAA Record Looks Valid

Only letsencrypt.org is authorized to issue non-wildcard certificates for this hostname.

Generated Output

Normalized value
0 issue "letsencrypt.org"
Zone file record
@ 3600 IN CAA 0 issue "letsencrypt.org"
Cloudflare-style fields
Flag
0
Tag
issue
Value
letsencrypt.org

Best practices

  • Use issue and issuewild together when wildcard policy differs from normal certificate policy.
  • Keep iodef destinations current so certificate incident reports reach a monitored inbox or endpoint.
  • Avoid setting issuer-critical unless you intentionally depend on a property that must be understood by the CA.
  • Treat CAA as policy documentation as well as enforcement. Keep it aligned with your certificate automation.

Why CAA matters

CAA reduces certificate issuance ambiguity by explicitly naming which certificate authorities may issue for a hostname.

What teams miss

Many teams add issue records but forget issuewild, leaving wildcard policy undefined or overly broad.

Operational payoff

Clear CAA policy makes certificate automation, audits, and incident handling easier to reason about.

Über dieses Tool

CAA, or Certification Authority Authorization, is a DNS record type that tells certificate authorities which providers are allowed to issue certificates for a hostname. It can also define a separate policy for wildcard certificates and provide an IODEF endpoint for incident reporting. This CAA Validator and Generator lets you build records from structured inputs, parse existing zone lines, normalize syntax, and produce copy-ready output for common DNS providers. It is useful during certificate automation projects, CA migrations, domain security reviews, and compliance audits where certificate policy needs to be explicit and reviewable.

Anleitung

  1. Paste an existing CAA line if you want to parse and review it.
  2. Or fill in the hostname, TTL, flags, tag, and value fields directly.
  3. Use presets to start from common patterns such as Let’s Encrypt or wildcard-only issuance.
  4. Review the normalized record, zone-file output, and recommendations.
  5. Publish the final line in your DNS provider after confirming it matches your certificate automation policy.

Funktionen

  • Parses existing zone-file CAA lines
  • Validates flags, tags, and common IODEF patterns
  • Generates normalized CAA value and full zone record
  • Includes Cloudflare-friendly field output
  • Explains issue, issuewild, and iodef semantics in plain language

Häufige Anwendungsfälle

  • Restricting issuance to Let’s Encrypt or a commercial CA
  • Defining separate wildcard issuance policy
  • Preparing DNS for certificate automation rollouts
  • Reviewing certificate controls during security audits
  • Documenting CA policy for incident response or compliance

Technische Details

CAA records use the format flags tag "value". In a zone file they are published as name TTL IN CAA flags tag "value".

The most common tags are:

  • issue: authorizes a CA for normal certificates.
  • issuewild: authorizes a CA for wildcard certificates.
  • iodef: provides a reporting destination for certificate incidents.

Flag 128 sets the issuer-critical bit. If that bit is present and a CA does not understand the property, it must refuse issuance.

CAA FAQ

What does issue ";" mean?

It explicitly forbids certificate issuance for the hostname scope covered by that record.

Do I need both issue and issuewild?

Only if your wildcard issuance policy differs from normal certificate issuance. Otherwise issue may be enough.

What is the IODEF tag for?

It tells certificate authorities where to send incident or mis-issuance reports, usually via mailto: or https:.

Will CAA replace DCV or ACME validation?

No. CAA controls who may issue certificates, but domain validation still has to succeed.

Related DNS Tools

Eintrags-Validator
A/AAAA/CNAME/MX/TXT/SRV.
DNS-Abfrage
A, AAAA, MX, NS, TXT-Einträge abfragen.
PTR-Generator
in-addr.arpa/ip6.arpa.