Hmm. That's all odd. When having the roots in the TLSA records, is your server actually sending the root as part of the chain that it sends? When I tried to wrap my head around DANE (which was a while ago now), it seemed that there wasn't an easy "out of the box" way to just use Let's Encrypt certs directly, because you either needed to add an extra root certificate onto the chain your server was sending, or as you say specify all possible intermediates.
I'm surprised that an issue resolving OSCP would cause problems as well.