move ooni.torproject.org to our mirros and/or fix CAA hardening for subdomain

In #41386 (closed), we have tried to harden our CAA records, but this impacted the OONI folks who couldn't renew their certificates. A workaround was deployed on the subdomain, but we'd like to re-harden this bit by either:

1. make the ooni.torproject.org redirects part of our normal "vanity hosts" redirections on the static mirror system, or;
2. restrict the CAA record to a specific (set of?) let's encrypt accounts

@art, which one should we be, and what timeline should we look for this?