The part about secondary servers is from the Let's Encrypt side: LE uses 4 different vantage points around the world, 1 being the "primary" and 3 others being "secondary". If the primary succeeds, but 2 out of 3 of the secondary vantage points fail, the validation in total will fail and add "secondary" in the error message to specify this specifically.
For the CAA record? Well, they didn't answer you apparently..
Ah, so you didn't ask your DNS support about the error you got when you tried to add the CAA record.