Today I learned that Let’s Encrypt (LE) offers the ability to limit the validation methods used to generate a TLS certificate. This helps to reduce the effectiveness of MITM attacks. In order to do that, LE offers to add a flag to a CAA record that selects the allowed method for that domain. This allows you to individually assign validation methods like http-01 or dns-01 as part of your installation.

example.org         CAA 0 issue "letsencrypt.org;validationmethods=dns-01"

I came across this when reading up on the recent MITM attack on jabber.ru and the related Hacker News thread mentioning these flags.