dnsight caa
CAA inventory and policy check; generate CAA lines.
Options
| Option |
Type |
Default |
Required |
Description |
domains |
text |
— |
no |
One or more domains; omit to use config manifest targets. |
--config |
file |
— |
no |
YAML path (overrides global --config for this command). |
--require-caa / --no-require-caa |
bool |
— |
no |
Require effective CAA with issue tags. |
--required-issuers |
text |
— |
no |
Comma-separated CA issuer domains required in issue tags. |
--check-issuewild / --no-check-issuewild |
bool |
— |
no |
Validate issuewild vs issue consistency. |
--restrict-wildcard-issuance / --no-restrict-wildcard-issuance |
bool |
— |
no |
Wildcard issuance must be restricted via issuewild. |
--cross-reference-crt-sh / --no-cross-reference-crt-sh |
bool |
— |
no |
Query crt.sh and compare issuers to CAA. |
--names |
text |
— |
no |
Comma-separated extra hostnames (under zone) to check. |
--enumerate-names / --no-enumerate-names |
bool |
— |
no |
Discover names via DNS walk. |
--max-enumeration-depth |
integer range |
— |
no |
Max CNAME/DNAME depth. |
--max-names |
integer range |
— |
no |
Max distinct names to enumerate. |
--include-www / --no-include-www |
bool |
— |
no |
Seed www.. |
--include-mx-targets / --no-include-mx-targets |
bool |
— |
no |
Include MX exchange hostnames in discovery. |
--include-srv-targets / --no-include-srv-targets |
bool |
— |
no |
Include SRV targets in discovery. |
--enumerate-dname / --no-enumerate-dname |
bool |
— |
no |
Follow DNAME during walk. |
--reporting-email |
text |
— |
no |
Email for iodef mailto in GENERATE (optional). |
Subcommands
| Command |
Description |
generate |
Print suggested CAA records. |