Put simply Certification Authority Authorization or CAA is a speical type of DNS records that allows you to inform a certification authority if they are allowed to issue certificates for a domain (or subdomain).
The standard is not that common at the moment but is begenning to get traction. The CA forum has mandated it as Qualys Reported
In this example howson.me is allowed to have certificates issued by either Comodo or lets encrypt. Any violations are reported to hositng e-mail and the 128 means it is critical so
howson.me 3600 IN CAA 128 iodef "[email protected]" howson.me 3600 IN CAA 128 issue "letsencrypt.org" howson.me 3600 IN CAA 128 issue "comodoca.com" howson.me 3600 IN CAA 128 issuewild ";"
The DNS CAA records can be confirmed with ssllabs test
You can generate your own using this great opensource tool from SSL Mate