Your domain’s DNS seems to be misconfigured right now. It is pointing at some AWS Route53 nameservers, but those Route53 nameservers return REFUSED when queried for your domain.
I would try fixing your nameserver situation first and then seeing what happens with another --dry-run.
There have been some instances in the past where issues like network timeouts were a little racey and caused weird errors to be spit out of Let’s Encrypt/Certbot, but they were masking underlying issues with the domain name or webserver being issued.
So hopefully fixing your DNS should either fix everything, or unmask the underlying problem.
Late Edit: I believe this thread is a report of the same issue.