Another potentially interesting extension to CAA would be the option to ask that issuers rely only on certain of the 10 Blessed Methods. This allows a subscriber to effectively distrust methods based on their particular circumstances or just an understanding of the limitations of each method. This would not have been possible when CAA was conceived because the Blessed Methods had not been explicitly enumerated and in practice most CAs performed “any other method” validations by the old rules.
Setting CAA to require a DNS-based validation method, combined with DNSSEC for your DNS records including CAA should ensure that bad guys can’t obtain a certificate for your names without attacking either your secure DNS, or the secure DNS of a domain above yours (e.g. your TLD or the root). This is a higher bar than is achievable today by any merely technical means.
This approach could be simulated today by a CA (e.g. Let’s Encrypt) setting aside some sub-domains for particular Blessed Methods (or as an ACME implementation, particular ACME challenges). We could imagine that if a CAA record were to specify http-01.letsencrypt.org as issuer that would signify that only the http-01 challenge should be used with that domain for example.