RFC 6844 standardized the DNS Certification Authority Authorization RR, which "allow[s] the holder of a domain to specify which certificate authorities are allowed to issue certificates for that domain".
Some CAs (supposedely?) check the value of this record before issuing certificates, and refuse to do so if they are not explicitly whitelisted. Unlike HPKP, this record is not checked by browsers, only CAs. We could change it anytime, as long as we do it at least $TTL seconds before working with a new certificate authority -- a process which usually takes us weeks anyway.
This could potentially protect us from silly incidents like Symantec's latest fiasco.
We issue wildcard certificates for our project domains from GlobalSign & DigiCert. Additionally, we issue non-wildcards for wikimedia.org from Let's Encrypt. Payments' EV is (unfortunately) issued by Symantec, so we'd have to whitelist that for wikimedia.org too. Am I forgetting anything? Edit: also, whatever is .corp.wikimedia.org is using? (which we should probably standardize)
Note that SSLMate has a pretty nifty CAA generator that basically does most of the job. Also note that I don't think gdnsd supports CAA records yet but the generator also produces the generic/unknown type zonefile types which would probably work (but fixing gdnsd first might be a better idea :)