CAA Record Lookup (Certificate Authority Authorization)
Control which authorities can issue SSL/TLS certificates
Secure your SSL/TLS certificates by verifying that only authorized authorities can issue them for your domain.
In iterative trace mode, the resolver is ignored.
Query multiple public resolvers to compare answers.
Certification policy
Discover which certificate authorities (Let's Encrypt, DigiCert, etc.) are authorized to issue certificates for the domain.
Multi-resolver
Compare responses from Google, Cloudflare, and Quad9 to detect propagation issues.
Issue and issuewild tags
Analyze authorizations for standard and wildcard certificates separately.
Iodef alerts
Check if a notification address is configured for unauthorized issuance attempts.
Free and unlimited
Test as many domains as needed. No signup required.
How to use the DNS lookup engine options effectively
What is the iterative trace?
The trace performs resolution step by step. The resolver first queries the root servers, then the TLD (.com, .fr, .eu), and then the authoritative servers of the target zone. At each step, the page shows the queried server, the answer, the RCODE, and the latency.
1. Root
Discovery of the TLD servers for the requested name.
2. TLD
Reference to the zone's NS (delegation).
3. Authoritative
Final answer (or error) with TTL and latency.
What is it for?
Compare answers across resolvers and regions
Detect a hot cache, an overly long TTL, or an incomplete delegation
Explain a latency difference or an unexpected RCODE
Tip: keep the trace disabled for quick checks; enable it when investigating or preparing a ticket/post‑mortem.
What is the classic trace?
The classic trace queries only the selected resolver (UDP or DoH) and displays the answer as it is perceived from that network vantage point. You get the RCODE, the response sections, and the latency for the client → resolver leg.
1. Chosen resolver
Uses the preset or custom configuration to run the query exactly like your service would.
2. Protocol preserved
Respects the selected transport (UDP, TCP, or DoH) so you reproduce the real behaviour.
3. Detailed answer
Shows the question, answer, and authority/additional sections when present, together with TTL and useful metadata.
Why use it?
Check the view of a specific resolver before suspecting delegation issues
Confirm cached values and the impact of a TTL or a flush
Document a resolution exactly as a client or microservice sees it
Tip: keep the iterative trace option turned off when auditing a given resolver; enable it afterwards to compare with the root → TLD → authoritative path.
How does the propagation test work?
The test queries a set of public resolvers (Google, Cloudflare, Quad9, OpenDNS, ISPs…) in parallel and groups the answers by content and RCODE. You instantly see who already picked up the update.
1. Multi-point resolvers
Enables the propagation presets to question several actors spread around the world.
2. Automatic comparison
Groups identical answers and highlights divergences or resolver-specific errors.
3. Actionable summary
Provides a clear recap, the resolver list, their latencies, and each group's status.
When to use it?
Track how a DNS change propagates worldwide
Spot stale caches and decide on a targeted flush
Share a propagation snapshot in a ticket or post-mortem
Tip: while the propagation test is active, the resolver selector is frozen. Disable the mode to return to single-resolver diagnostics.
A CAA (Certificate Authority Authorization) record defines which certificate authorities (CAs) are authorized to issue SSL/TLS certificates for a domain. It's a security measure that prevents unauthorized certificate issuance.