Over the past few days, I have run several test configurations with certbot (using --break-my-certs). Every time, ~2/10 subdomains fails the challenge. Running certbot again then gets succeeds with the remaining subdomains. What's odd is that the subdomains that fail are different every time.
I've checked the domains with letsdebug as well, and there too I get variable results without having made any changes to my DNS records.
IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub1.xxxxxxx.com Type: dns Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for sub1.xxxxxxx.com - the domain's nameservers may be malfunctioning Domain: sub2.xxxxx.com Type: dns Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for sub2.xxxxxxx.com - the domain's nameservers may be malfunctioning - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.