RFC 8659 gave us the DNS CAA record. In a nutshell, you add a record to your DNS, to prevent mis-issuance of TLS certificates for your domain.
Worried that someone on your team will create a wildcard for your domain without understanding the risk?
Worried that a CA will make a mistake an issue a certificate for you?
You can solve this for free right now! And while you are at it, join the preload list.