They're permitted to. They're also permitted not to, which is the more secure, simple and standards encouraging design.
Currently the validator has no information about why a query failed, if DNSSEC is in use, or how many times it was retried. Guaranteeing BR compliance while loosening requirements on compliant and functional DNS may require non-trivial architectural changes on Let's Encrypt's part.
You should fix your DNS anyway.
(Well, until September they can do anything.)