I'm not aware of one, from my reading of the Unbound changelog they consider the completely-empty response as a "bad server" and so it's trying to fall back to a different authoritative server that might give it a valid response.
The tally so far that I've found seems to be:
- 2 cases of completely-homebrew DNS server (this thread, and the one that prompted Let's Encrypt to roll back for a bit)
- 1 case of a misconfiguration of an old version of BIND with the wrong SOA record.
- 1 case of
hover.com's nameservers having a problem
Does look that way. Might make sense to start a separate thread (or include in the other hover.com thread) rather than hijack this one. But I don't know as there's much for people here to do; it looks to be a bug on the DNS provider's side that people have just been managing to get away with for some time. It could be worth trying some other CAs, or other DNS resolving software, to see if they report an error differently, but I think that Let's Encrypt is compelled to follow the DNS standards. (I don't know as I'd go so far as to call the previously-issued certificates validated against bad DNS servers as being misissued, but I think there's an argument to be made for it. And it's probably a hard argument to convince Let's Encrypt to roll back, though I don't know what process they use to determine which DNS server software they need to be using.)