Certification Authority Authorization (CAA) is a relatively recent security standard that enables you to restrict what CAs are allowed to issue certificates for your properties. CAA is delivered via DNS. When a new certificate is requested, the CA must look for a CAA policy on the affected hosts and verify that they have permission to proceed. If they don't, the issuance fails.
example.com. CAA 0 issue "digicert.com" example.com. CAA 0 issue "globalsign.com" example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issue "sectigo.com"
CAA is a very useful addition to the defense arsenal. Even a policy that allows many CAs is helpful as a way of reducing the attack surface, compared to the default, which allows all CAs. Deploying CAA may be difficult in complex environments because a policy set on the domain name applies to all subdomains.