Looks like the main problem was a configuration problem of the gransy.com zone.
Read
gransy.com didn't send Glue records, instead the next SOA with the next name server.
Looked like a name server loop -> unbound needs too long -> stop.
Should be fixed now, so wildcard CNAME should work. More time to do these checks.