In addition to T1228 nginx configuration, we need to take care of CAA records
to document what authorities are allowed to generate certificates for our domains.

For public resources, it's for example currently only Let's Encrypt,
we don't use StartCom CA anymore.

If we use wildcard certificates, a explicit issuewild record must also be added.

nasqueron.org.  CAA 0 issue "letsencrypt.org"
nasqueron.org.  CAA 0 issuewild "letsencrypt.org"