Both SERVFAIL as well as a timeout during the CAA query would cause an error.
There’s not really a workaround, other than making sure your authoritative name servers give a valid response. You don’t need a CAA record or even a DNS server with real CAA support, an empty response is just fine. It can’t be something like SERVFAIL (or just a timeout). If Let’s Encrypt were to accept CAA timeouts as a valid response, there would not be much point in enforcing CAA at all (that opens up a way to bypass it via DoS attacks).
If you’re running your own DNS servers, an updated version of your DNS server software that doesn’t misbehave when faced with a CAA query might be available. If you’re using a third-party DNS provider, you’d have to ask them if that’s something they can fix or potentially switch to a different one.
We use dig command to check that with different type.
dig xxx.com.tw ->status: NOERROR
dig -t soa xxx.com.tw -> status: NOERROR
but
dig -t type257 xxx.com.tw -> status: SERVFAIL
so we guess this may cause by SERVFAIL, but not very sure. We may check that with the website you mentioned.
it’s ok in looking up A record, but it always return “status: SERVFAIL” in looking up CAA.
Our customer will ask their DNS provider to check that.