diff --git a/README.md b/README.md
index 20a8971..dd463fb 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
 # terraform-aws-r53-zone
+
 TF Module for creating a R53 zone with DNSSEC, should be used in conjunction with lupus-metallum/dnssec-kms to create a key. This can be looped for unique keys per zone if desired. If a var.kms_key_arn is not specified, a zone with be created without DNSSEC.
 
 ## Example
+
 ``` Terraform
 module "dnssec_key" {
   source   = "Lupus-Metallum/dnssec-kms/aws"
@@ -12,11 +14,14 @@ module "dnssec_key" {
 
 module "r53_zone_example_net" {
   source  = "Lupus-Metallum/r53-zone/aws"
-  version = "1.2.1"
+  version = "1.7.0"
 
   domain_name           = "example.net"
   dnssec                = true
-  amazon_caa_record     = true
+  caa_record            = {
+    aws          = true
+    lets_encrypt = true
+  }
   outlook_autodiscover  = true
   kms_key_arn           = module.dnssec_key.key_arn
   signing_key_name      = "ExampleDefaultKey"
@@ -95,10 +100,10 @@ module "r53_zone_example_net" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The name/fqdn of the Route53 Zone. | `string` | n/a | yes |
-| <a name="input_amazon_caa_record"></a> [amazon\_caa\_record](#input\_amazon\_caa\_record) | Should we add a Certificate Authority Authorization Record for Amazon CA's? | `bool` | `true` | no |
 | <a name="input_atlassian_cloud_bounce"></a> [atlassian\_cloud\_bounce](#input\_atlassian\_cloud\_bounce) | Should we create the Atlassian Cloud bounce cname record | `bool` | `false` | no |
 | <a name="input_atlassian_cloud_fallback_dkim"></a> [atlassian\_cloud\_fallback\_dkim](#input\_atlassian\_cloud\_fallback\_dkim) | Should we create the Atlassian Cloud DKIM fallback cname record | `string` | `""` | no |
 | <a name="input_atlassian_cloud_primary_dkim"></a> [atlassian\_cloud\_primary\_dkim](#input\_atlassian\_cloud\_primary\_dkim) | Should we create the Atlassian Cloud DKIM primary cname record | `string` | `""` | no |
+| <a name="input_caa_record"></a> [caa\_record](#input\_caa\_record) | Should we add a Certificate Authority Authorization Record for commonly used CA's? | <pre>object({<br>    aws          = optional(bool, false),<br>    lets_encrypt = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_dmarc_value"></a> [dmarc\_value](#input\_dmarc\_value) | Values to put in the root/apex dmarc record of the zone? | `list(string)` | `[]` | no |
 | <a name="input_dnssec"></a> [dnssec](#input\_dnssec) | Should DNSSEC be enabled for this domain | `bool` | `true` | no |
 | <a name="input_github_org_name"></a> [github\_org\_name](#input\_github\_org\_name) | Name of the GitHub org to add the record for? | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 67f353d..b3c0dee 100644
--- a/main.tf
+++ b/main.tf
@@ -4,19 +4,26 @@ resource "aws_route53_zone" "this" {
 }
 
 resource "aws_route53_key_signing_key" "this" {
-  count                      = var.dnssec == true ? 1 : 0
+  count = var.dnssec == true ? 1 : 0
+
   hosted_zone_id             = aws_route53_zone.this.id
   key_management_service_arn = var.kms_key_arn
   name                       = var.signing_key_name
 }
 
 resource "aws_route53_hosted_zone_dnssec" "this" {
-  count          = var.dnssec == true ? 1 : 0
+  count = var.dnssec == true ? 1 : 0
+
   hosted_zone_id = aws_route53_key_signing_key.this[0].hosted_zone_id
+
+  depends_on = [
+    aws_route53_key_signing_key.example
+  ]
 }
 
 resource "aws_route53_record" "this" {
-  count   = var.dnssec == true ? 1 : 0
+  count = var.dnssec == true ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "@.${aws_route53_zone.this.name}"
   type    = "DS"
@@ -26,7 +33,8 @@ resource "aws_route53_record" "this" {
 }
 
 resource "aws_route53_record" "txt_this" {
-  count   = length(var.root_txt) > 0 ? 1 : 0
+  count = length(var.root_txt) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = aws_route53_zone.this.name
   type    = "TXT"
@@ -36,7 +44,8 @@ resource "aws_route53_record" "txt_this" {
 }
 
 resource "aws_route53_record" "mx_this" {
-  count   = length(var.root_mx) > 0 ? 1 : 0
+  count = length(var.root_mx) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = aws_route53_zone.this.name
   type    = "MX"
@@ -46,7 +55,8 @@ resource "aws_route53_record" "mx_this" {
 }
 
 resource "aws_route53_record" "dmarc_this" {
-  count   = length(var.dmarc_value) > 0 ? 1 : 0
+  count = length(var.dmarc_value) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "_dmarc.${aws_route53_zone.this.name}"
   type    = "TXT"
@@ -55,21 +65,28 @@ resource "aws_route53_record" "dmarc_this" {
 }
 
 resource "aws_route53_record" "caa_this" {
-  count   = var.amazon_caa_record == true ? 1 : 0
+  count = var.caa_record != {} ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = aws_route53_zone.this.name
   type    = "CAA"
   ttl     = var.ttl
-  records = [
-    "0 issue \"amazon.com\"",
-    "0 issue \"amazonaws.com\"",
-    "0 issue \"amazontrust.com\"",
-    "0 issue \"awstrust.com\""
-  ]
+  records = flatten(
+    var.caa_record.aws == true ? [
+      "0 issue \"amazon.com\"",
+      "0 issue \"amazonaws.com\"",
+      "0 issue \"amazontrust.com\"",
+      "0 issue \"awstrust.com\""
+    ] : [],
+    var.caa_record.lets_encrypt == true ? [
+      "0 issue \"letsencrypt.org\""
+    ] : []
+  )
 }
 
 resource "aws_route53_record" "outlook_autodiscover_this" {
-  count   = var.outlook_autodiscover == true ? 1 : 0
+  count = var.outlook_autodiscover == true ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "autodiscover.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -80,7 +97,8 @@ resource "aws_route53_record" "outlook_autodiscover_this" {
 }
 
 resource "aws_route53_record" "github_this" {
-  count   = var.github_verification_record != "" && var.github_org_name != "" ? 1 : 0
+  count = var.github_verification_record != "" && var.github_org_name != "" ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "_github-challenge-${var.github_org_name}.${aws_route53_zone.this.name}"
   type    = "TXT"
@@ -91,7 +109,8 @@ resource "aws_route53_record" "github_this" {
 }
 
 resource "aws_route53_record" "protonmail_domainkey_this" {
-  count   = length(var.protonmail_domainkey) > 0 ? 1 : 0
+  count = length(var.protonmail_domainkey) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "protonmail._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -100,7 +119,8 @@ resource "aws_route53_record" "protonmail_domainkey_this" {
   records = [var.protonmail_domainkey]
 }
 resource "aws_route53_record" "protonmail2_domainkey_this" {
-  count   = length(var.protonmail2_domainkey) > 0 ? 1 : 0
+  count = length(var.protonmail2_domainkey) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "protonmail2._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -109,7 +129,8 @@ resource "aws_route53_record" "protonmail2_domainkey_this" {
   records = [var.protonmail2_domainkey]
 }
 resource "aws_route53_record" "protonmail3_domainkey_this" {
-  count   = length(var.protonmail3_domainkey) > 0 ? 1 : 0
+  count = length(var.protonmail3_domainkey) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "protonmail3._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -118,7 +139,8 @@ resource "aws_route53_record" "protonmail3_domainkey_this" {
   records = [var.protonmail3_domainkey]
 }
 resource "aws_route53_record" "stripe_domainkey1_this" {
-  count   = length(var.stripe_domainkey1) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey1) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey1}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -127,7 +149,8 @@ resource "aws_route53_record" "stripe_domainkey1_this" {
   records = ["${var.stripe_domainkey1}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_domainkey2_this" {
-  count   = length(var.stripe_domainkey2) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey2) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey2}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -136,7 +159,8 @@ resource "aws_route53_record" "stripe_domainkey2_this" {
   records = ["${var.stripe_domainkey2}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_domainkey3_this" {
-  count   = length(var.stripe_domainkey3) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey3) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey3}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -145,7 +169,8 @@ resource "aws_route53_record" "stripe_domainkey3_this" {
   records = ["${var.stripe_domainkey3}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_domainkey4_this" {
-  count   = length(var.stripe_domainkey4) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey4) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey4}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -154,7 +179,8 @@ resource "aws_route53_record" "stripe_domainkey4_this" {
   records = ["${var.stripe_domainkey4}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_domainkey5_this" {
-  count   = length(var.stripe_domainkey5) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey5) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey5}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -163,7 +189,8 @@ resource "aws_route53_record" "stripe_domainkey5_this" {
   records = ["${var.stripe_domainkey5}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_domainkey6_this" {
-  count   = length(var.stripe_domainkey6) > 0 ? 1 : 0
+  count = length(var.stripe_domainkey6) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "${var.stripe_domainkey6}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -172,7 +199,8 @@ resource "aws_route53_record" "stripe_domainkey6_this" {
   records = ["${var.stripe_domainkey6}.dkim.custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "stripe_bounce_this" {
-  count   = var.stripe_bounce == true ? 1 : 0
+  count = var.stripe_bounce == true ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "bounce.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -181,7 +209,8 @@ resource "aws_route53_record" "stripe_bounce_this" {
   records = ["custom-email-domain.stripe.com."]
 }
 resource "aws_route53_record" "o365_domainkey_this" {
-  count   = length(var.ms_domainkey) > 0 ? 1 : 0
+  count = length(var.ms_domainkey) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "selector1._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -190,7 +219,8 @@ resource "aws_route53_record" "o365_domainkey_this" {
   records = [var.ms_domainkey]
 }
 resource "aws_route53_record" "o365_domainkey_this2" {
-  count   = length(var.ms_domainkey2) > 0 ? 1 : 0
+  count = length(var.ms_domainkey2) > 0 ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "selector2._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -199,7 +229,8 @@ resource "aws_route53_record" "o365_domainkey_this2" {
   records = [var.ms_domainkey2]
 }
 resource "aws_route53_record" "atlassian_cloud_primary_dkim" {
-  count   = var.atlassian_cloud_primary_dkim != "" ? 1 : 0
+  count = var.atlassian_cloud_primary_dkim != "" ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "atlassian-${var.atlassian_cloud_primary_dkim}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -208,7 +239,8 @@ resource "aws_route53_record" "atlassian_cloud_primary_dkim" {
   records = ["atlassian-${var.atlassian_cloud_primary_dkim}.dkim.atlassian.net."]
 }
 resource "aws_route53_record" "atlassian_cloud_fallback_dkim" {
-  count   = var.atlassian_cloud_fallback_dkim != "" ? 1 : 0
+  count = var.atlassian_cloud_fallback_dkim != "" ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "atlassian-${var.atlassian_cloud_fallback_dkim}._domainkey.${aws_route53_zone.this.name}"
   type    = "CNAME"
@@ -218,7 +250,8 @@ resource "aws_route53_record" "atlassian_cloud_fallback_dkim" {
 }
 
 resource "aws_route53_record" "atlassian_cloud_bounce" {
-  count   = var.atlassian_cloud_bounce == true ? 1 : 0
+  count = var.atlassian_cloud_bounce == true ? 1 : 0
+
   zone_id = aws_route53_zone.this.zone_id
   name    = "atlassian-bounces.${aws_route53_zone.this.name}"
   type    = "CNAME"
diff --git a/variables.tf b/variables.tf
index 66e70f8..0f1b852 100644
--- a/variables.tf
+++ b/variables.tf
@@ -26,10 +26,13 @@ variable "ttl" {
   type        = number
 }
 
-variable "amazon_caa_record" {
-  description = "Should we add a Certificate Authority Authorization Record for Amazon CA's?"
-  default     = true
-  type        = bool
+variable "caa_record" {
+  description = "Should we add a Certificate Authority Authorization Record for commonly used CA's?"
+  default     = {}
+  type = object({
+    aws          = optional(bool, false),
+    lets_encrypt = optional(bool, false)
+  })
 }
 
 variable "outlook_autodiscover" {