The DuckCorp CA was created when usage of HTTPS was not very common and certificates very expensive. Time proved we cannot trust the top CAs and their broken security model thus we continued to use our own CA for quite some time.
Nowadays it is no more viable to operate a self-signed CAs as all softwares and providers rejects them thus we're now using Let's Encrypt certificates. To counteract this loss we use another system (DANE), see below.
We plan to continue using this CA for non-user-facing services.
Aside from the main CA we also have two CAs for monitoring and backup services. They could have been sub-CAs but our tool does not support it.
As said above all user facing services are using Let's Encrypt or soon are (#676).
Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. When possible services are configured to validate if the records are available (Postfix at least).
Web vhosts do not have a TLSA record yet, but this is coming (#675).