The problem isn't with Dyn or (directly) with your domain, it's with TP-Link.
The error message is misleading: it happens when you have CAA records explicitly blocking Let's Encrypt, and it can happen when the DNS response is invalid.
When Let's Encrypt's does a DNS query for germany.vertesi.com CAA, the DNS resolver follows the CNAME to verthome.tplinkdns.com and... I'm not sure what happens.
tplinkdns.com has a lot of issues. I'm not even sure what most of them are.
http://dnsviz.net/d/tplinkdns.com/W8w6vA/dnssec/
$ dig verthome.tplinkdns.com caa
;; Got bad packet: FORMERR
67 bytes
88 dc 81 80 00 01 00 01 00 00 00 01 08 76 65 72 .............ver
74 68 6f 6d 65 09 74 70 6c 69 6e 6b 64 6e 73 03 thome.tplinkdns.
63 6f 6d 00 01 01 00 01 c0 0c 01 01 00 01 00 00 com.............
02 6c 00 04 5b 41 76 ba 00 00 29 10 00 00 00 00 .l..[Av...).....
00 00 00 ...
One of them is responding with something invalid to CAA queries.
Another is that they don't support random capitalization, which is not invalid, but which may cause Let's Encrypt's resolvers to fail.
Not really. CNAMEs are okay. You were just using a CNAME to a DNS service that doesn't work well.
Edit:
To be explicit, it's fine not to have CAA records. A valid negative response is a-ok.
Also, I forgot to mention it, but there was one previous thread reporting issues with that domain.