CAA Records
free/v1/dns/caaRetrieves CAA (Certificate Authority Authorization) records that specify which certificate authorities are permitted to issue certificates for a domain. Supports RFC 8659 tags including issue, issuewild, and iodef, plus RFC 8657 extensions for accounturi and validationmethods.
What It Does
Queries CAA records and parses the issue, issuewild, and iodef tags. Identifies authorized CAs by matching against known identifiers (Let's Encrypt, DigiCert, Sectigo, Amazon ACM, Google Trust Services, Cloudflare, and others). Reports wildcard certificate policies, missing iodef incident contacts, and recommends issuewild policies. Checks both the domain and parent domains for inherited policies per RFC 8659 tree-climbing rules.
Why It's Useful
Without CAA records, any CA can issue certificates for your domain. CAs are required to check CAA before issuance (RFC 8659), and a SERVFAIL on CAA lookup blocks issuance entirely — making CAA + DNSSEC a powerful defense against unauthorized certificates and man-in-the-middle attacks.
Use Cases
Certificate Security Audit
Verify that CAA records restrict certificate issuance to your organization's approved CAs only.
Prevent unauthorized certificate issuance that could enable impersonation attacks.
Compliance Verification
Document CAA configuration as part of SOC 2 or ISO 27001 evidence collection.
Demonstrate certificate issuance controls for compliance audits.
Certificate Transparency Cross-Reference
Cross-reference CAA policy with Certificate Transparency logs to detect certificates issued by unauthorized CAs that violate your domain's authorization policy.
Detect policy violations and potential man-in-the-middle attacks from unauthorized certificate issuance.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check CAA records forExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
found | boolean | Whether CAA records were found (at this domain or parent) |
effective_domain | string | The domain where CAA records were found (may differ from queried domain due to RFC 8659 tree-climbing) |
is_inherited | boolean | Whether CAA policy is inherited from a parent domain |
records | array | CAA records with flags, tag, value, issuer_domain, accounturi, validationmethods, and critical flag (RFC 8659 Section 4) |
allowed_issuers | array | List of authorized certificate authorities |
has_iodef | boolean | Whether iodef incident reporting is configured |
iodef_targets | array | Incident reporting targets (email or URL) |
allows_wildcard | boolean | Whether wildcard certificate issuance is permitted. False when issuewild ";" denies all wildcards (RFC 8659 Section 4.2) |
recommendations | array | Actionable recommendations for improving CAA configuration |
servfail | boolean | True when DNS SERVFAIL was encountered. Per RFC 8659, CAs must not issue certificates in this case (optional, only present on SERVFAIL) |
Code Examples
curl "https://api.edgedns.dev/v1/dns/caa" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/caa?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/caa',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full CAA Records guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.