_443._tcp.cryptech.is. IN CNAME ca.hactrn.net. ca.hactrn.net has a TLSA RR containing the issuing CA certificate with appropriate TLSA flag bits, so just adding the above CNAME should work. The last couple of messages on the thread were discussing optimizations that don't affect what you'd put in the CNAME.