How to check a CAA policy
Enter the exact hostname the certificate will cover. www.example.com can give a different answer from example.com, so use the real name from the certificate request. We ask a recursive resolver for the CAA record, follow an alias if one is in the way, and then keep walking up the original name until we hit the first policy.
Where the effective policy comes from
A name does not have to carry its own CAA record. If it has one, that wins. If it does not, the check moves to its parent, then the parent above that, and stops at the first policy it finds. So the policy that governs a certificate is often written a level or two up, not on the exact name.
www.example.comexample.comcomPolicy in effectOne thing an alias does not do: a CNAME can send the lookup to an alias target, but the alias target's parent domains do not join the original name's inheritance path. The result lists every place we looked, so you can see which record set actually won instead of guessing.
Normal and wildcard certificates
issue covers normal certificates, the ones for a specific hostname. issuewild covers wildcard certificates, the ones that match a whole level like *.example.com. If a name has no issuewild record, wildcard requests fall back to the issue policy. If a policy has only issuewild and no issue, then CAA is not restricting normal certificates at all.
How to read CAA records
issue | Lets the named authority issue normal certificates for the name. |
|---|---|
issuewild | Lets the named authority issue wildcard certificates for the name. |
iodef | A mail or web address where an authority can report a policy problem it runs into. |
| Empty issuer | A value like CAA 0 issue ";" allows no one, which blocks that kind of issuance. |
| Critical flag | If a property is marked critical and an authority does not understand it, that authority must refuse to issue. |
Several issue or issuewild records stack rather than compete. Every authority listed under that tag is allowed.
What this result does not promise
CAA is one permission gate in the process, not a list of certificates that already exist. This page does not read certificate history, contact an iodef address, or promise that an allowed authority will actually issue. That authority still has to confirm you control the domain and apply its own rules on top of the CAA answer.