As most any web dev person knows, Google Domains is shutting down. This is unfortunate, because they've really done a good job balancing ease-of-use with advanced options.

I've looked at a lot of different options, including NameCheap and SquareSpace, but found them lacking. Eventually, I settled on Amazon's own registrar services for my Lightsail websites.

There's just one problem: best security practices require adding a CAA record to your DNS entry, to ensure that the SSL certificate authority is someone that you, as the owner of the DNS record, have deemed trustworthy. And Lightsail DNS does not allow you to add a CAA record.

Luckily, Amazon splits the existence of a domain apart from the DNS entries, by mapping the domain to a series of nameservers responsible for the 'hosted zone' (DNS settings) of that domain. So you can dive into the more technical AWS DNS settings in Route53 to set up your 'hosted zone', including the CAA record, and then point your Lightsail domain to the Route53 'hosted zone' nameservers instead of the Lightsail nameservers.

1. Create a domain in Lightsail, along with the Lightsail zone. Point it at a static IP attached to your instance.
2. Go over to Route53 and create a 'hosted zone' with the same domain name.
3. In Route53, add an A record (IPv4) and/or AAAA (IPv6) record in Route53, pointing at your static IP and/or your instance's IPv6 address, respectively.
4. In Route53, add a CAA record for your certificate authority, e.g., 0 issue letsencrypt.org
5. In Route53, find your 'hosted zone' name servers in the NS record.
6. In Lightsail, edit your domain's name servers to match your 'hosted zone' name servers.
7. In Lightsail, delete your Lightsail zone.
8. Optionally, use Google's Public DNS Flush Cache tool to get rid of lingering information about your Lightsail zone.

That should get you all set up with a proper CAA record for your domain.