The following problem keeps re-occurring, so we need a solution from the server-side (you at letsencrypt). Please do not broom the problem under the carpet as we depend on it.
We use dns-01 with DNSSEC. When our servers talk, our hook adds your token to our authoritative DNS, then we re-sign the zone to comply with DNSSEC, and await for the slaves to self-update. There is no way around it. This is how it works. Our slaves, supplied by a third party, update 3 times every hour. Sometimes they fail, for reasons that are sufficient to our third party supplier (maintenance, you name it). When the slaves are up to date, then the world begins updating their DNSs.
You understand that the process of renewing an SSL certificate with you cannot possibly rely on your DNS cache, either yours or that of your suppliers, because it takes a long time when it succeeds (~30 min), and even more when it fails. If our slaves fail, like today when they stopped updating for an hour exactly when we were renewing our certificate, it is jolly hard to figure out the problem.
Therefore, we propose you update the procedure as follows.
When the client (us) uses DNSSEC, then trust the client's authoritative DNS. Do not wait for DNS cache updates.