diff --git a/newinfra/nix/modules/dns/nilstrieb.dev.nix b/newinfra/nix/modules/dns/nilstrieb.dev.nix
index b5a4ca4..fecea2e 100644
--- a/newinfra/nix/modules/dns/nilstrieb.dev.nix
+++ b/newinfra/nix/modules/dns/nilstrieb.dev.nix
@@ -27,6 +27,11 @@ let
         "v=spf1 include:_spf.protonmail.ch ~all"
       ];
 
+      CAA = [
+        { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; }
+        { issuerCritical = false; tag = "issue"; value = "sectigo.com"; }
+      ];
+
       NS = [
         "ns1.nilstrieb.dev."
         "ns2.nilstrieb.dev."
@@ -45,7 +50,6 @@ let
         cors-school = vps2 // {
           subdomains.api = vps2;
         };
-        docker = vps2;
         olat = vps2;
 
         localhost.A = [ (a "127.0.0.1") ];
@@ -53,6 +57,7 @@ let
         # --- retired:
         bisect-rustc = vps1;
         blog = vps1;
+        docker = vps1;
         www = vps1;
         uptime = vps1;
         hugo-chat = vps1 // {
diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix
index e4aadac..02e094e 100644
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@@ -32,6 +32,11 @@ let
         "ns2.noratrieb.dev."
       ];
 
+      CAA = [
+        { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; }
+        { issuerCritical = false; tag = "issue"; value = "sectigo.com"; }
+      ];
+
       subdomains = {
         # --- NS records
         ns1 = dns1;