Today I learned that Let’s Encrypt (LE) offers the ability to limit the validation methods used to generate a TLS certificate. This helps to reduce the effectiveness of MITM attacks. In order to do that, LE offers to add a flag to a CAA record that selects the allowed method for that domain. This allows you to individually assign validation methods like
dns-01 as part of your installation.
example.org CAA 0 issue "letsencrypt.org;validationmethods=dns-01"
I came across this when reading up on the recent MITM attack on
jabber.ru and the related Hacker News thread mentioning these flags.