CAA Debugging Guide
Fix certificate issuance failures caused by CAA records, wildcard policy, inherited CAA, wrong CA identifiers, CAA SERVFAIL, and DNSSEC validation errors.
Answer snapshot
CAA failures happen when the requested CA is not authorized, wildcard issuance is blocked by issuewild, a parent-zone CAA policy is inherited, the CA identifier is wrong, or the CA cannot get a reliable DNS answer. Query the exact name and each parent, compare the requested certificate names with issue and issuewild records, check DNSSEC/SERVFAIL, then update CAA and retry after the relevant TTL.
What you'll learn
- Identify whether CAA is blocking a certificate request
- Trace inherited CAA policy from a hostname to its parent domain
- Debug wildcard and multi-CA certificate issuance failures
- Recognize when DNSSEC or SERVFAIL makes CAA unavailable to the CA
CAA records are intentionally restrictive. Once you publish an applicable CAA record, every public CA that is not allowed by that policy should refuse issuance. That is the security benefit, but it also means certificate renewals can fail after a CA migration, wildcard change, DNSSEC problem, or inherited parent policy.
Use this guide when Let's Encrypt, cert-manager, certbot, lego, a hosting platform, or a commercial CA reports a CAA authorization problem.
Start with the Exact Certificate Request
Write down the names on the certificate and the CA doing the issuance.
| Request detail | Why it matters |
|---|---|
Apex name, such as example.com | CAA is checked for this exact name |
Hostname, such as www.example.com | It may inherit CAA from example.com |
Wildcard, such as *.example.com | issuewild may override normal issue records |
| Issuing CA | The CAA value must match that CA's expected identifier |
| ACME account restrictions | Some CAA parameters bind issuance to a specific account |
Do not debug only the apex if the failed certificate is for a subdomain or wildcard.
Query CAA at the Name and Parents
Query the exact name first:
dig CAA www.example.com +short
dig CAA example.com +shortThen query the authoritative nameserver to bypass resolver cache:
dig @ns1.dnscale.eu CAA www.example.com +short
dig @ns1.dnscale.eu CAA example.com +shortIf public resolvers and authoritative DNS disagree, wait for TTL expiry or investigate stale resolver cache:
dig @1.1.1.1 CAA www.example.com +short
dig @8.8.8.8 CAA www.example.com +short
dig @9.9.9.9 CAA www.example.com +shortIf no CAA exists at the exact name, CAs walk up the DNS tree. A CAA record at example.com can control issuance for www.example.com, api.example.com, and deeper names unless a lower name publishes its own CAA RRset.
Match CAA Tags to the Certificate Type
For normal certificates, check issue:
example.com. 3600 IN CAA 0 issue "letsencrypt.org"For wildcard certificates, check issuewild:
example.com. 3600 IN CAA 0 issuewild "letsencrypt.org"Important behavior:
- If no
issuewildrecords exist, wildcard checks can fall back toissue. - If any
issuewildrecord exists, wildcard issuance is controlled byissuewild. 0 issuewild ";"denies wildcard issuance from all public CAs.0 issue ";"denies non-wildcard issuance from all public CAs.
A common failure is allowing Let's Encrypt with issue "letsencrypt.org" and later adding issuewild ";". That still allows normal certificates, but it blocks *.example.com renewals.
Verify the CA Identifier
CAA values are CA-specific identifiers, not always the marketing brand shown in a certificate UI. Verify the exact value with your CA's documentation before making policy strict.
Common values:
| CA or service | Common CAA value |
|---|---|
| Let's Encrypt | letsencrypt.org |
| Google Trust Services | pki.goog |
| Amazon Certificate Manager | amazon.com |
| DigiCert | digicert.com |
| Sectigo | sectigo.com |
| ZeroSSL | sectigo.com |
If a platform obtains certificates on your behalf, confirm which CA it actually uses. A hosting provider may switch between CAs over time, and the CAA policy must authorize the current issuer.
Check for Account-Bound Parameters
CAA can include parameters after the CA identifier. For example, some ACME deployments use account binding so only a specific ACME account may issue:
example.com. 3600 IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"If an ACME account is rotated, recreated, or moved to a different environment, the CA identifier may still look correct while account-bound CAA blocks issuance. Compare the account URI in DNS with the account used by the current ACME client.
Check for CAA SERVFAIL and DNSSEC Problems
Certificate authorities need a reliable answer to the CAA lookup. If CAA queries return SERVFAIL, time out, or fail DNSSEC validation, the CA may refuse to issue even if the record content is correct.
dig @1.1.1.1 CAA example.com +dnssec
dig @1.1.1.1 CAA example.com +cd
dig +trace +dnssec CAA example.comInterpretation:
| Result | Likely issue |
|---|---|
Normal query SERVFAILs, +cd returns CAA | DNSSEC validation failure |
| Authoritative query works, public resolver has old CAA | Resolver cache or recent TTL change |
+trace breaks at parent DS | DNSSEC delegation problem |
| CAA lookup times out | Authoritative availability or network issue |
If DNSSEC is involved, use DNSSEC Failure Troubleshooting before changing certificate automation.
Debug Subdomain Overrides
CAA inheritance stops when a CA finds a CAA RRset at the queried name. That means a subdomain can intentionally override the parent policy:
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
shop.example.com. 3600 IN CAA 0 issue "digicert.com"In that setup, shop.example.com authorizes DigiCert, not Let's Encrypt. If a renewal fails only for one subdomain, query that exact name before changing the apex.
Safe Fix Workflow
Use a narrow change first:
- Confirm the actual issuer and certificate names.
- Add the missing
issueorissuewildvalue. - Keep existing authorized CAs until the new certificate has issued.
- Wait for the CAA TTL to expire at public resolvers.
- Retry issuance.
- Remove old CA authorizations only after the migration is complete.
Avoid deleting every CAA record during an incident unless you are intentionally making issuance unrestricted. A safer emergency fix is usually adding the required CA temporarily, then tightening the policy after issuance succeeds.
DNScale CAA Examples
Allow Let's Encrypt for normal and wildcard certificates:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 issue \"letsencrypt.org\"",
"ttl": 3600
}'
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 issuewild \"letsencrypt.org\"",
"ttl": 3600
}'Add an incident-reporting address:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 iodef \"mailto:security@example.com\"",
"ttl": 3600
}'Related Guides
Frequently asked questions
- Why did my certificate renewal fail after adding CAA?
- Once any applicable CAA issue or issuewild record exists, public CAs that are not authorized by that policy must refuse issuance. Add the CA that actually issues your certificate, wait for the CAA TTL to expire, and retry renewal.
- Does CAA at example.com apply to www.example.com?
- Yes, unless www.example.com has its own CAA RRset. CAs check the requested name first, then walk up the DNS tree until they find an applicable CAA policy or reach the top.
- What blocks wildcard certificates?
- The issuewild tag controls wildcard issuance. If issuewild exists, it overrides issue for wildcard certificates. `0 issuewild ";"` explicitly denies wildcard issuance from all public CAs.
- Can DNSSEC break CAA checks?
- Yes. If a CA cannot reliably determine the applicable CAA policy because DNSSEC validation fails or DNS returns SERVFAIL, issuance can fail even when the visible CAA value looks correct.
Related guides
Security
What Is a DDoS Attack? Types, Impact, and DNS Protection
Learn what DDoS attacks are, how volumetric, protocol, and application-layer attacks work, and how anycast DNS networks protect your infrastructure.
Security
What is DNSSEC? A Plain-Language Guide to DNS Security
DNSSEC explained from first principles — what it is, why it exists, how it works at a high level, and when you should turn it on for your domain.
Security
DNS Amplification Attacks Explained — How They Work and How to Prevent Them
Understand how DNS amplification attacks exploit open resolvers and spoofed IPs to generate massive traffic floods, and learn the prevention techniques that stop them.
Security
How DNSSEC Works — KSK, ZSK, DS, DNSKEY, RRSIG, NSEC Explained
A walkthrough of the DNSSEC chain of trust: how KSK and ZSK signing keys, DS records, DNSKEY records, RRSIG signatures, and NSEC/NSEC3 work together to authenticate DNS answers.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free