Thanks for all the replies, I figured out the problem, I was still running bind 9.9.5 because the server was still on Ubuntu 14.04. That record only was introduced after 9.9.6. Did a distro upgrade to 16.04.2 this morning with only a few minor headaches getting bind9 to start, but an hour later and now Qualsys picks up the CAA record.
Now to upgrade my secondary DNS server to 16.04.2, this one now should only take me 20 minutes to have all the bind9 start issues sorted.
Just updated my secondary to 16.04.2 … took me all of 22 minutes, all sorted now.
Just a heads up for anyone upgrading the Ubuntu from 14.04 to 16.04, there appears to be a problem caused with logging settings in named.conf not being correct for the new version 9.10.3-P4-Ubuntu. It causes the bind9 service to fail when starting up. Just comment out all logging settings in named.conf and the service will start up fine, I now need to go and dig to find what the new logging settings formats and permissions are but that is what caused the upgrade of my primary to take me well over an hour, was getting the bind9 service to start up.