Hi @rokclimb15
Good catch @rg305, thanks!
Not by default, but for cases where the response is larger than 512 bytes (our advertised edns buffersize value) there will be a truncated response from the authoritative nameserver and we will retry the query over TCP.
I suspect that's what is happening here, dig @ns3.ideaworldhq.net +norecurse proofs.ruthgillson.com shows big authority/additional information sections in the answer. Delivering a truncated answer without supporting TCP queries will result in the Let's Encrypt issuance problems you've observed.