Yeah, but doing a CAA request on the full domain (which Let's Encrypt is obligated to do first) gives a DNSSEC validation failure.
https://unboundtest.com/m/CAA/lbc-tel.werkonderweg.nl/7OJFJQKS
Apr 06 19:39:02 unbound[1218286:0] info: validate(nodata): sec_status_bogus
https://dns.google/query?name=lbc-tel.werkonderweg.nl&rr_type=CAA&ecs=
DNSSEC validation failure.
You need to fix the DNSSEC for the non-existence of the CAA record of the full domain name.