This is correct and should be all you need.
FYI, iodef is not (yet) supported by Let's Encrypt.
The critical flag in CAA, like the critical flag in x509 extensions, means only "error out if you don't understand this." Adding the critical flag to CAA types that are part of the base RFC (like issue) has no effect.
Also keep in mind: I'm not aware of any other CA that implements CAA yet. So, while adding the entries is nice, keep in mind that most other CAs will be willing to issue for your domain regardless. Edit: As of September 2017, all public CAs are required by the Baseline Requirements to implement CAA.