DNS CAA allows the holder of a domain to specify which certificate authorities are allowed to issue certificates for that domain.
Let's encrypt support is, as do recent versions of the bind DNS server. https://sslmate.com/labs/caa/ helps to get the DNS record correct. SSL Labs already checks for the CAA record.
Put this in your BIND zone file:
@ CAA 0 issue "letsencrypt.org"
posted at: 22:09 | path: /configuration | permanent link