The DNS servers don't support TCP:
https://unboundtest.com/m/A/support.cologlobal.com/PWQ2EVQV
https://unboundtest.com/m/A/support.novacarthosting.com/Y3HMWX4D
http://dnsviz.net/d/support.cologlobal.com/XADS2A/dnssec/
Let's Encrypt decreased the EDNS size from 4096 to 512 bytes two weeks ago, making TCP fallback more common.
I'm not sure why TCP fallback would happen in this case, but https://unboundtest.com/ -- which is similar to the Let's Encrypt resolvers -- seems to be doing it regardless.
Try fixing TCP?
Edit: Ah-ha, the culprit is ginormous (okay, ~1100 byte) authority and additional sections in the CNAME response, demonstrated by "dig +norecurse support.cologlobal.com @ns2.hspheredns.com".