Hi, I work for a web host and we have provided and Let’s Encrypt integration for our customers. We are currently processing a couple thousand orders per day and saw this error for the first time this week. Our system is built in ruby and uses an open source ruby gem to place orders. I’m wonder if someone at LE can clue us into whether or not there is something specifically broken about this one site’s DNS so that I can pass that on to a customer.
The .com nameservers have a DS record for your domain present. This tells DNSSEC enabled servers there should be a RRSIG record present for your domain in the corresponding authoritive name servers. But there is no RRSIG record. So the DNSSEC verification fails: it could be a hacker provides a fake answer!
The only way to fix this is either disable DNSSEC altogether by removing the DS record from the .com name servers or, preferably, fix DNSSEC by providing the correct DNSSEC records for your domain.
An insightful article about how DNSSEC works can be found here: How DNSSEC Works