CAA Record Propagation CheckerConfirm your certificate authority authorization records are live globally

  • 7 independent networks
  • Records + DNS flags
  • No ads, no sign-up

CAACertificate authority

Independent networks

7 public DNS networks, queried in parallel

Every test query is answered by these unaffiliated resolvers on separate networks and infrastructure. When they agree, you can trust the result.

  • Google Public DNS

    Google LLC · North America

    8.8.8.8
  • Cloudflare

    Cloudflare, Inc. · Global Anycast

    1.1.1.1
  • AdGuard DNS

    AdGuard Software Ltd. · Europe

    94.140.14.14
  • NextDNS

    NextDNS, Inc. · Global Anycast

    45.90.28.0
  • DNS.SB

    xTom / Layer0 · Europe

    185.222.222.222
  • Alibaba DNS

    Alibaba Cloud · Asia

    223.5.5.5
  • DNSPod

    Tencent Cloud · Asia

    119.29.29.29

How it works

A test query for flag propagation check, done right

Most checkers query a single resolver or a set of geographically labelled servers behind the same anycast network. isPropagated queries genuinely independent DNS operators and compares both their records and their response flags.

01

Enter a domain and run the test query

Type any domain, pick a record type (A, AAAA, CNAME, MX, TXT, NS and more), then run a single test query that fans out to every network at once.

02

We query independent global networks

Instead of asking one resolver, we ask several unaffiliated public DNS networks in parallel — across North America, Europe and Asia — so no single cache can mislead you.

03

Compare records and DNS flags

Each network returns its answer plus the DNS response flags (AD, CD, RA, RD, TC). We check that both the records and the flags agree before calling a domain propagated.

04

Read the propagation verdict

A clear consensus score shows how many networks resolved the record and whether their answers match — so you know the moment a change is live everywhere.

What is a CAA record and why must it propagate before issuing an SSL certificate?

A CAA (Certification Authority Authorization) record specifies which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for a domain. For example, a CAA record of "0 issue letsencrypt.org" allows only Let's Encrypt to issue certificates, while "0 issuewild letsencrypt.org" also permits wildcard certificates. CAs are required to check CAA records before issuing any certificate.

If you add a CAA record after a period of having none (or change the allowed CA), the change must propagate to all global resolvers before the CA will successfully check it. A CA performing an issuance check against a resolver still serving no CAA record may issue a certificate when it should be blocked, or — more commonly — you may add CAA records that incorrectly exclude your own CA, blocking certificate issuance until you fix and wait for propagation.

Run this check after adding or modifying a CAA record, and before requesting a certificate from your CA. Confirm all 7 resolvers return the correct CAA record before proceeding with certificate issuance.

CAA record propagation and wildcard certificates

CAA records use inheritance: if example.com has a CAA record but www.example.com does not, the www subdomain inherits the parent's CAA policy. To allow wildcard certificates, you need an "issuewild" tag in addition to an "issue" tag — they are separate permissions.

After adding or changing a CAA record, use this tool to verify all 7 resolvers return the new value before triggering certificate renewal or requesting a new certificate. If any resolver still returns the old CAA (or no CAA), wait for the TTL to expire and re-check.

FAQ

Common questions about caa record propagation checker

How long does CAA record propagation take?

CAA records follow standard DNS TTL rules. Most providers set a default TTL of 3600 seconds. If you change or add a CAA record, all resolvers will reflect the change within one TTL cycle — typically 1 hour.

My SSL certificate issuance is failing because of a CAA record. What do I check?

First, confirm what CAA records are live using this tool. If the records are inconsistent, wait for propagation. If all resolvers return the same CAA record but it does not list your CA, you need to add the correct CA to your CAA record. Common CAs to whitelist: letsencrypt.org, pki.goog (Google Trust Services), digicert.com, sectigo.com.

Do I need a CAA record?

No, CAA records are optional. If a domain has no CAA record, any CA is permitted to issue certificates for it. CAA records are a security best practice: they limit which CAs can issue for your domain, reducing the risk of mis-issuance.

What is the difference between "issue" and "issuewild" tags?

"issue" authorizes a CA to issue regular (non-wildcard) certificates for the domain and its subdomains. "issuewild" authorizes wildcard certificates (e.g., *.example.com). A CA must have an explicit "issuewild" entry to issue wildcards even if it has an "issue" entry.