A lot of good things to think about. The idea of the browser checking whether CAA has been violated might need some more fleshing out. A good defense against this whole problem is to have your CAA locked down so that NO certificates can be issued, except when you're doing a renewal. Having the browser break in this scenario wouldn't be good. There would need to be some way to separately say "a certificate from this issuer is expected" as opposed to "this issuer may issue me a certificate right now".