diff --git a/dns/nix.dev.js b/dns/nix.dev.js
index 09064409..5c9a9559 100644
--- a/dns/nix.dev.js
+++ b/dns/nix.dev.js
@@ -2,6 +2,16 @@ D("nix.dev",
 	REG_NONE,
 	DnsProvider(DSP_GANDI),
 
+	CAA_BUILDER({
+		label: "@",
+		iodef: "mailto:infra+caa@nixos.org",
+		iodef_critical: true,
+		issue: ["letsencrypt.org"],
+		issue_critical: true,
+		issuewild: "none",
+		issuewild_critical: true,
+	}),
+
 	// Domain is not used for mail
 	SPF_BUILDER({
 		label: "@",
diff --git a/dns/nixcon.org.js b/dns/nixcon.org.js
index 836eca2f..cdbc9e9f 100644
--- a/dns/nixcon.org.js
+++ b/dns/nixcon.org.js
@@ -2,6 +2,16 @@ D("nixcon.org",
 	REG_NONE,
 	DnsProvider(DSP_GANDI),
 
+	CAA_BUILDER({
+		label: "@",
+		iodef: "mailto:infra+caa@nixos.org",
+		iodef_critical: true,
+		issue: ["letsencrypt.org"],
+		issue_critical: true,
+		issuewild: "none",
+		issuewild_critical: true,
+	}),
+
 	MX("@", 10, "umbriel.nixos.org."),
 	SPF_BUILDER({
 		label: "@",
diff --git a/dns/nixos.org.js b/dns/nixos.org.js
index 0b4b6208..d895339d 100644
--- a/dns/nixos.org.js
+++ b/dns/nixos.org.js
@@ -8,6 +8,16 @@ D("nixos.org",
 	// bluesky account/domain binding
 	TXT("_atproto", "did=did:plc:bf43o4nxudgubwt4iljpayb7"),
 
+	CAA_BUILDER({
+		label: "@",
+		iodef: "mailto:infra+caa@nixos.org",
+		iodef_critical: true,
+		issue: ["letsencrypt.org"],
+		issue_critical: true,
+		issuewild: "none",
+		issuewild_critical: true,
+	}),
+
 	// nixos.org mailing
 	MX("@", 10, "umbriel"),
 	SPF_BUILDER({
@@ -171,9 +181,6 @@ D("nixos.org",
 	CNAME("test.wiki", "dualstack.n.sni.global.fastly.net."),
 	CNAME("_acme-challenge.test.wiki", "zsz0meyel8hxoy9dtb.fastly-validations.com."),
 
-	// cloudflare pages
-	CNAME("20th", "20th-nix.pages.dev."),
-
 	// github org/domain binding
 	TXT("_github-challenge-nixos", "9e10a04a4b"),
 
diff --git a/dns/ofborg.org.js b/dns/ofborg.org.js
index f89ed155..317a8f55 100644
--- a/dns/ofborg.org.js
+++ b/dns/ofborg.org.js
@@ -2,6 +2,16 @@ D("ofborg.org",
 	REG_NONE,
 	DnsProvider(DSP_GANDI),
 
+	CAA_BUILDER({
+		label: "@",
+		iodef: "mailto:infra+caa@nixos.org",
+		iodef_critical: true,
+		issue: ["letsencrypt.org"],
+		issue_critical: true,
+		issuewild: "none",
+		issuewild_critical: true,
+	}),
+
 	// Domain is not used for mail
 	SPF_BUILDER({
 		label: "@",