Harden CAA records in DNS

Our CAA records are relatively broad, and in the context of tpo/tpa/team#41374, we could benefit from narrowing the down a little.

$ dig +short caa torproject.org
128 issuewild ";"
0 iodef "mailto:torproject-admin@torproject.org"
128 issue "globalsign.com"
128 issue "letsencrypt.org"

Let's Encrypt has good documentation on CAA records: https://letsencrypt.org/docs/caa

Based on this, we should:

narrow down the scope of the globalsign.com origin
add caa records for all subdomain letsencrypt.org certificates generated outside puppet
tie our main account number to the top-level letsencrypt.org origin

Edited Dec 01, 2023 by Jérôme Charaoui

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information