Note: there is a bug in PowerDNS versions 4.0.3 and below that will cause SERVFAIL problems.
If you are a DNS operator and you use PowerDNS, please upgrade to 4.0.4. If you do not operate your DNS and want to check if your DNS operator uses PowerDNS, you can in some cases check the version string. First, find out what your nameservers are:
$ dig +short ns YOUR_BASE_DOMAIN_NAME
ns1.example.net.
ns2.example.net.
Pick one of the returned nameservers, for instance ns2.example.net, and run this query (replacing ns2.example.net with one of the nameservers found from the above command):
$ dig +short version.bind chaos txt @ns2.example.net
"PowerDNS Authoritative Server 4.0.4 (built Jun 22 2017 20:14:47 by buildbot@c1b965951e5b)"
If you are getting CAA SERVFAIL errors, and this shows PowerDNS 4.0.3 or less, please contact your DNS operator to upgrade. Note that some servers may not allow querying version information. If you don't get results, or just get "Served by PowerDNS - http://www.powerdns.com", then default to contacting your DNS operator. If you aren't sure who your DNS operator is, ask your hosting provider.
Also note: Because this bug only manifests on empty responses, you may be able to work around it by adding a CAA record to your zone that authorizes issuance for Let's Encrypt. CAA is supported by PowerDNS since 4.0.0. If your nameservers are running earlier versions than that, you may also be able to work around by adding a CNAME to a domain name whose authoritative nameserver runs different software, and adding a CAA record authorizing issuance there.