Check https://letsencrypt.org/docs/caa/. To me this looks like it’s the same problem with PowerDNS where DNSSEC signatures across empty responses with mixed capitalization are bogus. If your provider is using PowerDNS, you should ask them to upgrade. If not, please let us know what software it is so we can help get it fixed.
Note that I haven’t spelunked in the records myself, but based on the comments here it seems to have the exact same symptoms.