It looks like I was looking too fast and misinterpreted. You’re right that there was a SERVFAIL (and there was also a timeout for a related domain):
403 :: caa :: Error creating new cert :: Rechecking CAA: While processing CAA for www.rule.com: DNS problem: SERVFAIL looking up CAA for www.rule.com, While processing CAA for www2.rule.com: DNS problem: query timed out looking up CAA for www2.rule.com
www.ndcpartnership.org has just the timeout message:
403 :: caa :: Error creating new cert :: Rechecking CAA: While processing CAA for www.ndcpartnership.org: DNS problem: query timed out looking up CAA for www.ndcpartnership.org
I do notice that you’re requesting large multi-SAN certificates. Sometimes checking rate limits for such large certificate can be a bit slow. Perhaps that’s taking away time from the overall deadline allowable for looking up CAA, resulting in a timeout for an otherwise performant DNS server.
Which DNS server software are you using? Do you have stats on response times? Can you set it to log queries and double check the performance of the next CAA query that you see timing out?