I recently started to add CAA records for my domains to only allow LE to issue certificates, but I have not tested them out until now.
dig crashsec.com CAA returns this:
crashsec.com. 2419166 IN CAA 1 issue "\;" crashsec.com. 2419166 IN CAA 0 iodef "mailto:email@example.com" crashsec.com. 2419166 IN CAA 0 issuewild "\;"
I tested this with all CAs disallowed, but I could generate a certificate successfully without a problem, from both staging server and production. (https://crt.sh/?id=113804463)
I’d appreciate if someone could shed a light if my DNS setup is at fault, or if LE is not actively checking CAA records prior to the certificate issuing just yet.