It could be related to this new Let's Encrypt server-side error:
This error appears to be making CAA records effectively mandatory rather than optional, at least some of the time for some people. (If so, that is not intended behavior for the certificate authority.)