FEATURE: CAA_BUILDER: add issue_critical and issuewild_critical (#2728)

Co-authored-by: Tom Limoncelli <tlimoncelli@stackoverflow.com>

documentation/functions/domain/CAA_BUILDER.md

@@ -5,14 +5,18 @@ parameters:
   - iodef
   - iodef_critical
   - issue
+  - issue_critical
   - issuewild
+  - issuewild_critical
 parameters_object: true
 parameter_types:
   label: string?
   iodef: string
   iodef_critical: boolean?
   issue: string[]
+  issue_critical: boolean?
   issuewild: string[]
+  issuewild_critical: boolean?
 ---
 
 DNSControl contains a `CAA_BUILDER` which can be used to simply create
@@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.
 
 ## Example
 
-For example you can use:
+### Simple example
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -39,15 +43,7 @@ CAA_BUILDER({
 ```
 {% endcode %}
 
-The parameters are:
-
-* `label:` The label of the CAA record. (Optional. Default: `"@"`)
-* `iodef:` Report all violation to configured mail address.
-* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
-* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
-* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
-
-`CAA_BUILDER()` returns multiple records (when configured as example above):
+`CAA_BUILDER()` builds multiple records:
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
 CAA("@", "issuewild", ";")
 ```
 {% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 0 issue "letsencrypt.org"
+@ 300 IN CAA 0 issue "comodoca.com"
+@ 300 IN CAA 0 issuewild ";"
+```
+
+### Example with CAA_CRITICAL flag on all records
+
+The same example can be enriched with CAA_CRITICAL on all records:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA_BUILDER({
+  label: "@",
+  iodef: "mailto:test@example.com",
+  iodef_critical: true,
+  issue: [
+    "letsencrypt.org",
+    "comodoca.com",
+  ],
+  issue_critical: true,
+  issuewild: "none",
+  issuewild_critical: true,
+})
+```
+{% endcode %}
+
+`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
+CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
+CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
+CAA("@", "issuewild", ";", CAA_CRITICAL)
+```
+{% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 128 issue "letsencrypt.org"
+@ 300 IN CAA 128 issue "comodoca.com"
+@ 300 IN CAA 128 issuewild ";"
+```
+
+
+### Parameters
+
+* `label:` The label of the CAA record. (Optional. Default: `"@"`)
+* `iodef:` Report all violation to configured mail address.
+* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)