@tykling What's ridiculous about this is that Caddy, by default, will randomly get a certificate from LetsEncrypt or ZeroSSL and doesn't guarantee that the certificate will be renewed from the same issuer

So if you want CAA to not break your site in the future you need to know you must deploy extra configuration to pin to one of these two providers... *sigh*