@mnordhoff has it exactly right. Let’s Encrypt looks up CAA for all domains it issues for. Currently in prod it will treat SERVFAIL the same as NOERROR, but per Upcoming API changes we are planning to start treating SERVFAIL as a failure, and refuse issuance (except for a whitelist of already-issued hostnames). The staging server is demonstrating that behavior today.
Can you tell use more about your DNS server? What software is it running, and with what configuration? Are there DNS-aware firewalls between your server and the Internet that might interfere with newer DNS record types like CAA?
Thanks,
Jacob