Acme challenge wont complete until permissive CAA dns record is deleted

My domain is:

I ran this command:
We are using certificate manager in k8s and trying to get certificates for *.a.mindbox.ru
We have following CAA records for @ in zone mindbox.ru: "0 issue globalsign.com", "0 issue letsencrypt.org", "0 issue amazon.com", "0 issue godaddy.com". But when we are trying to get a certificate the challenge fails with an error (next section). During debug we discovered that we can get certificate after deleting all CAA records for this domain, but that is strange since all of records are only allowing letsencrypt.org

* we dont have CAA records for a.mindbox.ru

It produced this output:
Error accepting authorization: acme: authorization error for a.mindbox.ru: 0 urn:ietf:params:acme:error:caa: During secondary validation: While processing CAA for *.a.mindbox.ru: CAA record for a.mindbox.ru prevents issuance

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
version v1.12.11 of helm chart

Your CAA record have some extra quote around your caa urls,

;; ANSWER SECTION:
mindbox.ru.		3600	IN	CAA	0 issue "\"letsencrypt.org\""

There's more weird things about the DNS setup, too. I don't have time to dig into it now, but some systems think the nameservers are ns1.edgedns.co/ns2.edgedns.co, but others think they're ns1.yandexcloud.net/ns2.yandexcloud.net. And the yandexcloud ones are reporting NXDOMAIN for the name.

Thanks, that was the issue yandexcloud and edgecenter interpreted our terraform records differently