Hi, I know Debian 8 is enter in its end of life, but, maybe, to know this can be useful for you.
Virtualmin create a CAA record on DNS when a let's encrypt certificated is renewed. I think it started with Virtualmin 6.09.
That record is created with the following syntax:
@ IN CAA 0 issuewild letsencrypt.org
But it is only compatible with BIND ≥ 9.9.6, and Debian 8 has BIND 9.9.5.
For BIND < 9.9.6 the syntax is for Legacy Zone File (RFC 3597)
foo.org. IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267
foo.org. IN TYPE257 # 18 000569737375657365637469676F2E636F6D
Tested with the following versions:
webmin-virtual-server 6.09-3 Pro and 6.09.gpl