Deploy DNS CAA
Originally created by @cypherpunks on #15637 (Redmine)
Because the plan in #9026 (closed) to deploy HPKP may have been hindered by Chrome’s desire to remove HPKP support, it may be a good idea to instead (or additionally) deploy CAA. It has weaker guarantees than HPKP and in particular assumes the CA to be trustworthy, but is a significant improvement over the default state. Its support has recently been mandated and now all DNS servers and CAs support it. Deployment requires nothing more than creating a new DNS record.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum