Hi Folks,
I don’t have any conclusions yet, but I wanted to let you know that this issue has been receiving attention. I have confirmed for the examples you’ve provided here that Jacob’s point regarding our RPCs to store updated challenge information is correct.
In both of the cases listed here, we verified CAA records, successfully performed a domain validation lookup, and enacted the RPC to store the “valid” authorization result, but those RPCs failed.
However, the underlying cause of the RPC failure is not consistent, and I’m still tracing data and metrics to identify a cause. Thank you for the valuable data you’ve provided! I’ll update again when I have more information.