Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.
To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog). It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.
Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.
So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.
So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!
It will be doubtful the zoo will purchase gandi ssl (tls) again
*nothing to do with aircraft