Skip to main content

Domains

Registrar-side expiry tracking plus a DNS hygiene watch. A perfectly automated certificate is worthless if the domain registration itself lapses or the zone is misconfigured — Domains keeps WHOIS expiry, DNSSEC, SPF/DMARC, transfer lock, dangling DNS, and CAA under periodic surveillance.

Open it from the left sidebar: Domains. The page is project-scoped.

note

Domain tracking is independent of certificate management. It watches the domain registration and DNS records, not TLS certificates — a domain here does not need any certificate in CertAutoPilot, and vice versa.

What gets checked

Each check runs two probes against the domain:

  • WHOIS lookup — registrar, registration and expiration dates, name servers, EPP status codes (transfer lock), DNSSEC flag, and the registration state (active / expired).
  • DNS health check — resolves A/AAAA/CNAME, MX, SPF (with syntax validation), DMARC policy, CAA records, and detects dangling DNS (a record pointing at a non-existent target — subdomain-takeover risk).

The results roll up into a health score (0–100) built from six factors: DNSSEC, SPF, DMARC, transfer lock, dangling DNS, and CAA. The score is bucketed into healthy / warning / critical.

Adding a domain

  1. Click Add Domain (top right).
  2. Enter the Domain Name (e.g. example.com) — normalization (case, trailing dots, scheme) is handled automatically.
  3. Click Add.

The domain appears with a pending-check spinner and an initial check job is enqueued immediately; results typically land within a minute (visible in Jobs as domain_expiration_check).

  • Requires the Operator project role or higher (same for delete and on-demand checks; viewers can read).
  • Duplicates within the same project are rejected.

The list

A search box filters by domain name. Columns (hover a header for its explanation tooltip):

ColumnContent
Domain NameSortable.
RegistrarFrom WHOIS.
ExpirationColour-coded tag: red if expired or ≤ 7 days remaining, orange ≤ 30 days, green date otherwise. Hover for the exact timestamp.
HealthScore tag (0–100) coloured by level. Hover for a per-factor breakdown popover (✓/✗ with points).
DNSSECYes / No.
LockRegistrar transfer lock (clientTransferProhibited) present — Yes / No.
SPFSPF TXT record present — Yes / No.
DMARCPolicy tag: reject (green), quarantine (orange), none (red), or None if absent.
StateRegistration state from WHOIS — active (green) or expired (red).
CheckIcon for the last check: green check (ok), red cross (error — hover for the message), spinner (pending first check).
Last CheckedRelative time (5m ago).
ActionsWHOIS Lookup (on-demand check) and Delete (with confirmation).

Row detail

Click a row (or the expand arrow) to unfold the full record: registrar, registration/expiration dates, DNSSEC, name servers, EPP domain statuses, resolved DNS records (A/AAAA/CNAME), MX records, the raw SPF record (with an Invalid syntax tag if malformed), the raw DMARC record, a DANGLING flag with the reason if detected, CAA records (colour-coded issue / issuewild / iodef with explanation tooltips), transfer lock state, consecutive error count, next scheduled check, and the last error if any.

Check scheduling

  • A leader-elected scheduler sweep runs hourly and enqueues check jobs for every domain whose next-check time has passed (batches of 50; WHOIS lookups are rate-limited to one every 2 seconds, 15 s timeout each).
  • After a successful check, the next check is scheduled 24 hours later.
  • After a failure, checks back off exponentially: 6 h, 12 h, then capped at 24 h (min(24h, 6h × 2^(n−1)) for n consecutive errors). The counter resets on the next success.
  • On demand: click the WHOIS Lookup action on any row to enqueue a check immediately — the UI confirms with "WHOIS lookup triggered".

Alerts

Checks emit domain.* notification events, routed through the standard notification rules:

EventTriggerDedupe
domain.expiring_soonRegistration expires within 30 daysWeekly per domain
domain.expiredRegistration state flips to expiredOn transition
domain.dangling_dnsDangling DNS record detectedPer finding
domain.dnssec_missingDNSSEC not enabledPer finding
domain.no_dmarcNo DMARC record, or policy noneWeekly per domain

Tracked domains with expiry inside 90 days also surface on the main dashboard.

Troubleshooting

Check icon is red

Hover the icon (or expand the row) for the last error. WHOIS servers rate-limit aggressively — repeated failures back off automatically; use WHOIS Lookup to force a retry once the cause is fixed.

Expiration shows "Unknown"

Some TLDs' WHOIS/RDAP servers don't publish expiry dates, or the first check hasn't completed yet. The rest of the health data still populates from the DNS probe.

See also