Spurious CAA SERVFAIL responses during finalize

If that's actually the issue -- the number of CAA queries against your NS triggering some protections -- then a Relevant CAA Set would shortcut the algorithm and return early when it's encountered.

So it might be worth a try? Otherwise talk to your nameserver operator about what query limits they have that might affect CAA validations?

We're talking about doing things to space out those CAA checks, but it's not trivial because with them being potentially legitimately slow, it leads us to needing asynchronous finalization .... which broke a lot of clients last time we enabled it.

Sharp rocks everywhere.