That is very interesting. The https://unboundtest.com site queries DNS similar to how Let's Encrypt does it. Yet, unboundtest shows all record lookups are fine.
Note you must use a DNSSEC resolver as if that is present LE validates it. So sometimes that is a reason why some DNS query tools show success but LE fails.
We often use https://dnsviz.net to evaluate DNS config. Yet again that shows everything is fine.
So, why would LE fail? This probably needs someone with more DNS expertise than I have.
Does this problem recur?
LE did make a recent change. Are you familiar with the DNS servers you use? Could this be affecting them somehow?