~/tools / dns-explainer

DNS Record Explainer

Paste any DNS record and get a plain-English breakdown — every tag explained, risky settings flagged, related tools suggested. No domain needed.

paste_record
// detects SPF / DKIM / DMARC / BIMI / CAA / MX / MTA-STS / TLS-RPT / generic TXT. Paste the record value — no quotes needed.
[ OK ] Detected: CAA
input
0 issue "letsencrypt.org"
[ explanation · ai ]
[ breakdown ]

This is a CAA (Certification Authority Authorization) record, but it's incomplete — it's missing the domain name and the trailing dot.

What you've provided is the RDATA portion only. The full record should look like:

example.com. 3600 IN CAA 0 issue "letsencrypt.org"

Breaking down each part:
0 — flags field. Controls how the record is processed. 0 means "non-critical"; CAs can ignore it if they don't understand the extension. 128 would mean "critical" (must fail issuance if not understood).
issue — tag. Tells CAs which ones are allowed to issue certificates for this domain. Other valid tags: issuewild (for wildcards), iodef (for reporting violations to a URI).
"letsencrypt.org" — value. The CA's domain. This says "only Let's Encrypt can issue certificates for this domain."

CAA records control which certificate authorities can issue SSL/TLS certs for your domain. Without them, any CA can theoretically issue a cert for you (subject to other controls like email validation).
[ flags ]

Missing domain context — you've only shown the RDATA. To use this, you need to know where it's being placed (e.g., example.com or a subdomain).
Incomplete authorization — this record alone only allows Let's Encrypt to issue. If you use other CAs (AWS, Sectigo, DigiCert, etc.) for different services, they won't be able to issue. You'd need additional CAA records for each.
No wildcard policy — if you need certs for *.example.com, add a separate CAA record with issuewild tag, or the main issue tag won't cover wildcards depending on CA interpretation.
No iodef reporting — best practice is to add a CAA iodef record pointing to a monitored email or webhook so you get alerted when unauthorized issuance attempts happen.
[ context ]

CAA records are a critical part of PKI security. Without them, an attacker with access to a domain registrar account (or exploiting a registrar vulnerability) can order certs from any CA and intercept traffic to your domain. Major CAs check CAA before issuance. If you don't have CAA records, you're relying entirely on domain control proof (email, DNS) to prevent unauthorized issuance.
// AI explainer uses Claude Haiku 4.5. Same record pasted twice = served from 7-day cache. Never leaves our servers — no analytics/telemetry on paste content.