Help & Troubleshooting
CERT Record
What this is
CERT records can store certificates (X.509, PGP) directly in DNS. They are rare; DANE/TLSA and SMIMEA have superseded most of their intended uses.
How to read your result
No CERT records is the norm and never a problem. If one exists, someone put it there deliberately — typically for S/MIME or a legacy PKI integration.
Common problems and how to fix them
Stale CERT record from a retired system
How it shows up: Nothing visibly breaks, but the record advertises an old certificate — confusing audits, and misleading any system that still honors it.
How to fix it: If you cannot identify what consumes the record, treat it as removable: delete it and monitor. Keep DNS free of leftovers from decommissioned systems.