@cpu
Thank you for finding the reason why LE is refusing issuance.
When was the requirement added that authoritative name servers respond with case from the original query? We've been using LE for quite some time and haven't observed this issue until the past few days. Unrelated to our system, @_az has reported a similar experience.
I tried to see if these name servers are breaking spec, and it appears returning non-matching case is allowed by RFC 1035. draft-vixie-dnsext-dns0x20-00 - Use of Bit 0x20 in DNS Labels to Improve Transaction Identity attempted to change that but was never ratified. If I understand RFC 4343 - Domain Name System (DNS) Case Insensitivity Clarification correctly, it clarifies that name servers can be expected not to preserve case when employing name compression.
I recognize it's common practice to return the query's case in the answer section, but as you can see, not all name servers choose that implementation and this (new?) requirement is causing a lot of our customers to experience failure with LE (who were previously seeing success).
When we first integrated with LE, we documented the requirements for our customers here Configure DNS and Provision HTTPS | Pantheon Global CDN
At the time, the relevant requirement was
Authoritative Name Servers must serve mixed-case lookups, and must not fail CAA lookups
Was the change that required authoritative name server responses to be in matching case documented somewhere? Do you think LE may choose to roll it back?
Thank you for your time and efforts to secure the internet.