Spurious CAA SERVFAIL responses during finalize

You can always use our rate limit adjustment form (linked from our rate limit documentation) to request adjustments to the "certificates per registered domain" rate limit. This should alleviate your concerns regarding having to renew too many certificates at a time.

Since you're shuffling subdomains between certificates at random, you could also consider getting a single wildcard certificate instead, reducing the number of validations you have to perform (and the number of CAA checks we have to do) from hundreds to just 1.

Let's Encrypt re-uses completed domain control validations (also knows as Authorizations in the ACME protocol) for up to 30 days after they are completed -- in other words, successfully completing validation for a domain name means you won't have to re-do validation for that name for 30 days. (The Baseline Requirements allow up to 398 days, but we like to do better than that.)

Similarly, Let's Encrypt re-uses CAA determinations for up to 7 hours after they're retrieved -- in other words, if we see a CAA record that says we're allowed to issue for a given domain name, we will continue to trust that without re-checking for 7 hours. (The Baseline Requirements allow up to 8 hours, but we like to have a buffer.)