It may also be worth mentioning that when using CAA and also using something like LetsEncrypt one can specify which account is permitted to create and update certs and which method is approved DNS in this case. [1]

Example using DNS validation:

    0 iodef "mailto:domainowner@example.net"
    0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxxx"
    0 issuewild "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxxx"

[1] - https://www.rfc-editor.org/rfc/rfc8657