@saul I think adding CAA records every 90 days solely to get Let’s Encrypt certificates is not a good idea. You should at least add the records such that you may keep them. Especially some clients may cache DNS queries or changes may take a while and visitors might encounter troubles depending how clients treat the flag value in the record.
That said aside, applying
example.com. IN CAA 0 issue "letsencrypt.org" actually means anyone else still may issue certificates, though. I’d advise seeing which CAs you want to really use and add something like
example.com. IN CAA 128 issue "caname.tld" example.com. IN CAA 0 iodef "mailto:[email protected]"
At least this is a safe implementation and how it is supposed to be used such that only the specified CAs may be permitted to issue any certificates and if there has been a request by any other CA and it failed, it would usually email you at the specified mail address.