So, I haven't received a reply via my contact at Infoblox, but Gervase Markham from Mozilla happened to mention today that Infoblox doesn't anticipate a fix for this until "Q1 2018" (!!), which is to say sometime between January and March. This matches what another Infoblox customer reported at
I find that pretty sad because they've clearly heard from a number of customers, apparently some of them starting months ago, and @jsha has argued that the current behavior of these devices violates Internet standards because DNS servers should return NOERROR whenever they don't recognize a query type (specifically in order to allow new RR types to be introduced).
Anyway, @jsha also explained that if you can point your DNS delegation to a non-Infoblox server, even temporarily, and actively add a CAA record permitting Let's Encrypt to issue (in this exceptional case you do have to have a CAA record, which you wouldn't have to do if the parent DNS zone returned NOERROR), then you can get a certificate.
We should try to create something like @sahsanu's advice at
but with an additional explanation of how to create a CAA record to affirmatively permit issuance (again, this is only required in a case like .sr where the parent zone returns an error or times out).
By the way, I've continued to have contact with Telesur about this and they seem very apologetic about this situation and the inconvenience that it's causing for their customers.