We have a domain (hemsida.eu) which we allow our customers to create subdomains under, as a preview-/(or live if they wish) domain. The root-domain (hemsida.eu) does not, and will never, have a DNS-zone because cPanel doesn’t allow a subdomain to be added for another users domain for security reasons (this is default and can be changed, but then, at the risk of users adding subdomains for other users).
This used to work fine (except that we constantly hit the rate limit, but customers who already had a certificate could renew fine), until the implementation with CAA-records. Now, anyone trying to renew a certificate for example.hemsida.eu will fail because Let’s Encrypt doesn’t get any response when trying to lookup the CAA-record for hemsida.eu.
I can imagine that there are other cases where you use subdomains but the “main”-domain isn’t used and doesn’t have any DNS-zone.
Is there any way of excluding a domain from this rule, or, change the policy regarding getting a SERVFAIL/REFUSED so that it would be the same as an empty response?