There have been challenges lately with this sort of setup, as the DNS response gets so large that their DNS resolver doesn't like it. If you can rework your system to use a different name for each domain name, it might be more reliable.
You can see some details in this thread, where LE staff @jcjones just deployed a change a few days ago that might help with it.
@jcjones, can you confirm that the Unbound change is in both on both the primary and secondary validation servers?