Thanks. Don’t have any strong conclusions, though.
Looks like all the validation servers can reach this nameserver.
One weird thing is the [RST,ACK] at the end of every TCP conversation, but that just might be some NAT oddity - both peers are behind NAT.
The other thing is that some of the DNS responses are very large, like 6KB. For some reason, when a query with the norecurse flag is sent, your nameserver comes back with a full authority & additional section, which gets kind of huge when the response is also authenticated. I don’t think that’s necessary and could cause Let’s Encrypt’s query deadline to get exceeded?
Finally I noticed that every time I query your nameservers locally, the TCP segments come back out of order, which produces a noticable delay. But I can’t really reproduce it from other networks so meh 
.