A CAA flag to limit acceptable challenges types would be quite neat to exclude potentially less secure challenge types (application dependant) or to enforce domain policy (for example, all challenges on my end are handled though a secure API that our ACME clients use to manage
_acme-challenge DNS records for authorized hostnames)
For example, if I only wanted to allow DNS-01 for issuance I could explicitly call it out in the CAA record. Same could go for multiple methods: for example, if I only wanted to allow DNS-01 and TNS-SNI-01.
I’m not too sure on the aspects of CAA such as what adding things to it would look like (even if it’s a Let’s Encrypt/CA/vendor specific flag).