CAA Record Analyzer
Analyze Certificate Authority Authorization records for a domain.
GET
/v1/caa
curl "https://dns.toolkitapi.io/v1/caa?domain=github.com"
import httpx
resp = httpx.get(
"https://dns.toolkitapi.io/v1/caa?domain=github.com",
)
print(resp.json())const resp = await fetch("https://dns.toolkitapi.io/v1/caa?domain=github.com", {
});
const data = await resp.json();
console.log(data);# See curl example
Response
200 OK
{
"domain": "github.com",
"has_caa": true,
"found_at": "github.com",
"records": [
{"flags": 0, "tag": "issue", "value": "digicert.com", "ca_name": "DigiCert", "domain": "github.com"},
{"flags": 0, "tag": "issuewild", "value": "digicert.com", "ca_name": "DigiCert", "domain": "github.com"}
],
"issue_cas": ["digicert.com"],
"issuewild_cas": ["digicert.com"],
"has_iodef": false,
"iodef_targets": [],
"allows_any_ca": false,
"deny_all": false,
"checked_domains": ["github.com", "com"],
"query_time_ms": 23.7
}Try It Live
Live Demo
Response
Description
Analyze Certificate Authority Authorization records for a domain.
How to Use
1
1. Pass the domain in the `domain` parameter. 2. Check `has_caa` and `issue_cas` to see which CAs are authorized. 3. Verify `issuewild_cas` for wildcard certificate policies. 4. Check `has_iodef` for incident notification configuration.
About This Tool
CAA Record Analyzer looks up and analyzes CAA (Certificate Authority Authorization) records for a domain. It shows which CAs are authorized to issue certificates, wildcard policies, and incident reporting (iodef) configuration. The tool walks up the domain tree to find inherited CAA records.
Why Use This Tool
- Certificate management — Verify which CAs can issue certificates for your domain
- Security audit — Check that CAA restricts issuance to authorized CAs only
- Compliance — Verify CAA records exist as required by organizational policy
- Troubleshooting — Debug certificate issuance failures due to CAA restrictions
Frequently Asked Questions
What if there are no CAA records?
If `has_caa` is false and `allows_any_ca` is true, any CA can issue certificates for the domain. Consider adding CAA records.
Does it check parent domains?
Yes — CAA records are inherited. The tool walks up the domain tree (e.g. sub.toolkitapi.io → toolkitapi.io → com).
Start using CAA Record Analyzer now
Get your free API key and make your first request in under a minute.