Domains
Registrar-side expiry tracking plus a DNS hygiene watch. A perfectly automated certificate is worthless if the domain registration itself lapses or the zone is misconfigured — Domains keeps WHOIS expiry, DNSSEC, SPF/DMARC, transfer lock, dangling DNS, and CAA under periodic surveillance.
Open it from the left sidebar: Domains. The page is project-scoped.
Domain tracking is independent of certificate management. It watches the domain registration and DNS records, not TLS certificates — a domain here does not need any certificate in CertAutoPilot, and vice versa.
What gets checked
Each check runs two probes against the domain:
- WHOIS lookup — registrar, registration and expiration dates, name servers, EPP status codes (transfer lock), DNSSEC flag, and the registration state (active / expired).
- DNS health check — resolves A/AAAA/CNAME, MX, SPF (with syntax validation), DMARC policy, CAA records, and detects dangling DNS (a record pointing at a non-existent target — subdomain-takeover risk).
The results roll up into a health score (0–100) built from six factors: DNSSEC, SPF, DMARC, transfer lock, dangling DNS, and CAA. The score is bucketed into healthy / warning / critical.
Adding a domain
- Click Add Domain (top right).
- Enter the Domain Name (e.g.
example.com) — normalization (case, trailing dots, scheme) is handled automatically. - Click Add.
The domain appears with a pending-check spinner and an initial check job is enqueued immediately; results typically land within a minute (visible in Jobs as domain_expiration_check).
- Requires the Operator project role or higher (same for delete and on-demand checks; viewers can read).
- Duplicates within the same project are rejected.
The list
A search box filters by domain name. Columns (hover a header for its explanation tooltip):
| Column | Content |
|---|---|
| Domain Name | Sortable. |
| Registrar | From WHOIS. |
| Expiration | Colour-coded tag: red if expired or ≤ 7 days remaining, orange ≤ 30 days, green date otherwise. Hover for the exact timestamp. |
| Health | Score tag (0–100) coloured by level. Hover for a per-factor breakdown popover (✓/✗ with points). |
| DNSSEC | Yes / No. |
| Lock | Registrar transfer lock (clientTransferProhibited) present — Yes / No. |
| SPF | SPF TXT record present — Yes / No. |
| DMARC | Policy tag: reject (green), quarantine (orange), none (red), or None if absent. |
| State | Registration state from WHOIS — active (green) or expired (red). |
| Check | Icon for the last check: green check (ok), red cross (error — hover for the message), spinner (pending first check). |
| Last Checked | Relative time (5m ago). |
| Actions | WHOIS Lookup (on-demand check) and Delete (with confirmation). |
Row detail
Click a row (or the expand arrow) to unfold the full record: registrar, registration/expiration dates, DNSSEC, name servers, EPP domain statuses, resolved DNS records (A/AAAA/CNAME), MX records, the raw SPF record (with an Invalid syntax tag if malformed), the raw DMARC record, a DANGLING flag with the reason if detected, CAA records (colour-coded issue / issuewild / iodef with explanation tooltips), transfer lock state, consecutive error count, next scheduled check, and the last error if any.
Check scheduling
- A leader-elected scheduler sweep runs hourly and enqueues check jobs for every domain whose next-check time has passed (batches of 50; WHOIS lookups are rate-limited to one every 2 seconds, 15 s timeout each).
- After a successful check, the next check is scheduled 24 hours later.
- After a failure, checks back off exponentially: 6 h, 12 h, then capped at 24 h (
min(24h, 6h × 2^(n−1))for n consecutive errors). The counter resets on the next success. - On demand: click the WHOIS Lookup action on any row to enqueue a check immediately — the UI confirms with "WHOIS lookup triggered".
Alerts
Checks emit domain.* notification events, routed through the standard notification rules:
| Event | Trigger | Dedupe |
|---|---|---|
domain.expiring_soon | Registration expires within 30 days | Weekly per domain |
domain.expired | Registration state flips to expired | On transition |
domain.dangling_dns | Dangling DNS record detected | Per finding |
domain.dnssec_missing | DNSSEC not enabled | Per finding |
domain.no_dmarc | No DMARC record, or policy none | Weekly per domain |
Tracked domains with expiry inside 90 days also surface on the main dashboard.
Troubleshooting
Check icon is red
Hover the icon (or expand the row) for the last error. WHOIS servers rate-limit aggressively — repeated failures back off automatically; use WHOIS Lookup to force a retry once the cause is fixed.
Expiration shows "Unknown"
Some TLDs' WHOIS/RDAP servers don't publish expiry dates, or the first check hasn't completed yet. The rest of the health data still populates from the DNS probe.