CAA for

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: