$ Linux One Liners
Back to lessons

Web Server Rescue

Risk: safe

Check CAA Certificate Issuers

You need to see which certificate authorities are allowed to issue for a domain.

Command

dig +short edge.test CAA

Before you run this

Risk: safe. Do not assume missing CAA is a failure; many domains intentionally omit CAA records.

Expected output

CAA issue and contact records for the domain.

System impact

Nothing changes. The command queries DNS CAA records.

Recovery / rollback: no state is changed.

When to use it

Use before debugging failed certificate issuance or changing ACME providers.

When not to use it

Do not assume missing CAA is a failure; many domains intentionally omit CAA records.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ dig +short example.com CAA

0 issue "example.com"
0 iodef "mailto:security@example.com"

$ dig +noall +answer example.com A

example.com. 300 IN A 203.0.113.10
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. dig +short edge.test CAA
  2. dig +noall +answer edge.test A

next steps

Related commands

Web Server Rescue Risk: safe

Compare A and AAAA Records

IPv4 worked. IPv6 sent users to a different edge.

printf 'A '; dig +short edge.test A; printf 'AAAA '; dig +short edge.test AAAA
Web Server Rescue Risk: safe

Compare Authoritative Nameserver Answers

The recursive resolver was not the problem. One nameserver disagreed.

for ns in $(dig +short NS edge.test); do printf '%s ' "$ns"; dig @"$ns" +short edge.test A; done
Web Server Rescue Risk: safe

Compare DNS Answers Across Resolvers

One resolver can still have the old edge IP while another has the new one.

for r in 1.1.1.1 8.8.8.8 9.9.9.9; do printf '%s ' "$r"; dig @"$r" +short edge.test A; done
Web Server Rescue Risk: safe

Check the WWW CNAME Target

The apex was right. The www name pointed through a different path.

dig +short www.edge.test CNAME
Web Server Rescue Risk: safe

Show the DNS Answer TTL

The fix was correct. The TTL explained why users still saw the old edge.

dig +noall +answer edge.test A
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lfcs:networking
  • lfcs:services-logs
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.