Ah, this wasn't clear from your original message; I assumed ARSoft.Tools.Net was an established tool. I'm afraid Let's Encrypt staff aren't able to help you debug your DNS server, though you're welcome to keep talking it through with other forum members if you like. I will mention that I noticed different results at different times. For instance, sometimes dig will show me a single NS record, and sometimes dig will show me several:
$ dig TXT _acme-challenge.test-acme-dns-verification.suav.ec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT _acme-challenge.test-acme-dns-verification.suav.ec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17711
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.test-acme-dns-verification.suav.ec. IN TXT
;; ANSWER SECTION:
_acme-challenge.test-acme-dns-verification.suav.ec. 157 IN TXT "nSJOheM3ZP1F9UXtImAWjHdNKK5-Z9jc51bo1wpCzVA"
;; AUTHORITY SECTION:
suav.ec. 129453 IN NS suav.ec.
suav.ec. 129453 IN NS ns4.suav.ec.
suav.ec. 129453 IN NS ns2.suav.ec.
suav.ec. 129453 IN NS ns3.suav.ec.
;; ADDITIONAL SECTION:
suav.ec. 129453 IN A 54.76.42.38
ns3.suav.ec. 129453 IN A 54.76.42.38
ns2.suav.ec. 129453 IN A 54.76.42.38
ns4.suav.ec. 129453 IN A 54.76.42.38
;; Query time: 8 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Oct 05 09:16:01 PDT 2017
;; MSG SIZE rcvd: 267
Also, intentionally misspelling a record returns a seemingly related SPF record, which seems like an indicator of brokenness.
$ dig TXT _acme-challenge.xxxtest-acme-dns-verification.suav.ec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT _acme-challenge.xxxtest-acme-dns-verification.suav.ec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28354
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxtest-acme-dns-verification.suav.ec. IN TXT
;; ANSWER SECTION:
_acme-challenge.xxxtest-acme-dns-verification.suav.ec. 1800 IN TXT "v=spf1 a include:spf.efwd.registrar-servers.com ~all"
;; AUTHORITY SECTION:
suav.ec. 129382 IN NS ns4.suav.ec.
suav.ec. 129382 IN NS ns3.suav.ec.
suav.ec. 129382 IN NS ns2.suav.ec.
suav.ec. 129382 IN NS suav.ec.
;; ADDITIONAL SECTION:
suav.ec. 129382 IN A 54.76.42.38
ns3.suav.ec. 129382 IN A 54.76.42.38
ns2.suav.ec. 129382 IN A 54.76.42.38
ns4.suav.ec. 129382 IN A 54.76.42.38
;; Query time: 164 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Oct 05 09:17:12 PDT 2017
;; MSG SIZE rcvd: 279
Lastly, I'd recommend taking the config from https://unboundtest.com/ and running your own local Unbound server so you can easily test the behavior of your bespoke authoritative DNS server against a popular recursive resolver.