Just spit balling here. But could you effectively disallow all public certs for your domain by adding a CAA record to your root domain for a non-existent CA and then add additional CAA records on sub-domains as appropriate for "approved" certs?
Our marketing team uses Squarespace for blog sites. Squarespace issues certs for those through Let's Encrypt. Squarespace requires verify CName record to validate domain control, I imagine they pass this on to Let's Encrypt when requesting the cert. All good there.
If I create a CAA record allowing letsencrypt.org, I'm not just allowing or approving a single cert, I'm allowing any cert request through Let's Encrypt. And, with this, I'm giving up trust for a domain that I manage to Squarespace and Let's Encrypt.
Compare this to Digicert. I have a CAA record for Digicert, someone else tries to request a cert and that request will come to me. So i can allow a blog / hosting service to issue the cert with automation and still maintain control.
You can restrict a set of Let's Encrypt accounts that are allowed to issue in your CAA records.
We implement RFC 8657 for this:
An example record from the RFC:
example.com. IN CAA 0 issue "example.net; \
Note that if you have a CAA record for a subdomain, that takes precedence over the CAA record at higher levels. Also note that CAA record lookups for a domain follows CNAMEs, so in combination: if you have a subdomain CNAME'd elsewhere, your top-level CAA record would not restrict issuance if the CNAME destination has a CAA record.
If I read your reply correctly, is blog.example.com is a CNAME record? If yes, then you will be in a dead end, and you will have no choice. It is because CNAME record doesn't mix with most other DNS records (as per RFC1912, Section 2.4, save a few exceptions explicitly allowed in another RFC), so you cannot set blog.example.com CAA record along with a blog.example.com CNAME record.
I guess this issue may be a overlook in RFC. Is it possible to clarify this in IETF?
No, but as mcpherrinm noted in post #7, you put the CAA record in the destination location of the CNAME. You have delegated responsibility for the cert issuance by using the CNAME so that party needs to set the records to allow the issuance (if you have blocked issuance at a higher level).
What hasn't been said yet is that once you CNAME to someone elses domain they could issue a cert for that name with any Certificate Authority. The original question asked how to have Let's Encrypt alert about cert issuance but there is no reason that squarespace has to use just LE. They could use any ACME compliant CA once they have been given control of a domain name.