Hi @patch-work
your interpretation is wrong. Letsencrypt doesn't use dns caches.
Letsencrypt queries always the authoritative name servers via Unbound.
But this
is a fatal setup. Slave updates should happen in minutes.
If you can't change that, you should create an own client (or use a client with such a feature) with a longer wait before confirming the challenge.
You can use
to check that. Unbound checks always more then one of the authoritative name servers.
So if the name servers have different results -> that's fatal, that's expected.