ServerRecords

Help & Troubleshooting

CERT Record

What this is

CERT records can store certificates (X.509, PGP) directly in DNS. They are rare; DANE/TLSA and SMIMEA have superseded most of their intended uses.

How to read your result

No CERT records is the norm and never a problem. If one exists, someone put it there deliberately — typically for S/MIME or a legacy PKI integration.

Common problems and how to fix them

Stale CERT record from a retired system

How it shows up: Nothing visibly breaks, but the record advertises an old certificate — confusing audits, and misleading any system that still honors it.

How to fix it: If you cannot identify what consumes the record, treat it as removable: delete it and monitor. Keep DNS free of leftovers from decommissioned systems.

Run a look up for this record