The diagnosis from the thread is correct, those malformed nameserver records in the parent zone are what's killing the secondary validation. Let me add a bit more on how to confirm exactly what's happening and what to push the registrar on.
The dig queries showing the TXT records exist on your PowerDNS servers are checking your own authoritative servers directly. What matters for LE's validators is what the .com TLD zone tells them when walking the tree. Run this to check what Verisign's registry actually has for paulo-sc.com:
dig NS paulo-sc.com @a.gtld-servers.net
If that returns ns2-auth.octoworld.fr2026-01-20nsdns.info in the answer section, that's definitive confirmation that the corruption is in the registry data itself, not just in your registrar's panel display.
When you contact the registrar, the specific thing to ask them to fix is the EPP object they submitted to Verisign. The malformed string looks like their system concatenated your NS hostname (ns2-auth.octoworld.fr) with a date-formatted internal field (2026-01-20) and another suffix (nsdns.info) when writing the nameserver delegation to the .com registry. This is a data submission bug on their end, not a GLUE record issue on yours.
On why .fr works but .com doesn't: .fr is managed by AFNIC which has different registry procedures. If your registrar's bug only affects the EPP submission path they use for .com (Verisign), .fr domains would be unaffected. That's consistent with what you're seeing.
The resolution path is to get the registrar to delete and correctly resubmit the NS delegation for paulo-sc.com to Verisign. Specifically ask them to confirm the NS hostnames they submitted match exactly what you entered, with no additional characters.