Today I learned the .et country-code TLD has a CAA record, which is unusual. I wrote a quick script to check, and verified no other TLDs have one. https://github.com/mcpherrinm/caa-tld-check

Because CAA checking starts with the leaf domain and climbs up until it finds one, subdomains can add their own CAA record to override the one at the TLD. This means it doesn't really stop anyone from issuing with the CA they want, but overall the situation is a bit surprising.

I learned about this CAA record from the discussion at https://community.letsencrypt.org/t/caa-record-for-et-prevents-issuance/208291