$ Linux One Liners
Back to lessons

Web Server Rescue

Check CAA Certificate Issuers

You need to see which certificate authorities are allowed to issue for a domain.

Command

dig +short edge.test CAA

What changed

Nothing changes. The command queries DNS CAA records.

Danger

safe

When to use it

Use before debugging failed certificate issuance or changing ACME providers.

When not to use it

Do not assume missing CAA is a failure; many domains intentionally omit CAA records.

Undo or recovery

No undo needed because this command is read-only.

Expected output

CAA issue and contact records for the domain.

demo script

Disposable terminal steps

  1. dig +short edge.test CAA
  2. dig +noall +answer edge.test A
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ dig +short edge.test CAA
0 issue "letsencrypt.org"
0 iodef "mailto:security@edge.test"
::exit-code::0
$ dig +noall +answer edge.test A
edge.test. 300 IN A 203.0.113.10
::exit-code::0

YouTube Short

Check CAA before certs.

If certificate issuance fails, check CAA. DNS may be telling the CA it is not allowed.

LinkedIn hook

The certificate request failed because DNS allowed the wrong issuer.

Question: Do you check CAA records before changing ACME tooling?

experiments

A/B tests to run

Metric: watch_time

A: CAA blocked issuance.

B: Check issuer policy in DNS.