Way to enforce DNSSEC validation

Let's Encrypt wants to deploy the CAA validationmethods extension, but it's been held up by issues with the CAA standard.