CAA requests resulting in SERVFAIL since Dec 12th

I'm not aware of one, from my reading of the Unbound changelog they consider the completely-empty response as a "bad server" and so it's trying to fall back to a different authoritative server that might give it a valid response.

The tally so far that I've found seems to be:

Does look that way. Might make sense to start a separate thread (or include in the other thread) rather than hijack this one. But I don't know as there's much for people here to do; it looks to be a bug on the DNS provider's side that people have just been managing to get away with for some time. It could be worth trying some other CAs, or other DNS resolving software, to see if they report an error differently, but I think that Let's Encrypt is compelled to follow the DNS standards. (I don't know as I'd go so far as to call the previously-issued certificates validated against bad DNS servers as being misissued, but I think there's an argument to be made for it. And it's probably a hard argument to convince Let's Encrypt to roll back, though I don't know what process they use to determine which DNS server software they need to be using.)