Consistent 500's for new-cert (failing CAA for one domain)

Your reading of the RFC seems to be describing the tree climb as I understand erratum 5065 describes it, not as the legacy CAA interpretation of the base RFC describes.