Subdomain certs failing, TLDs work fine

Oh, that CAA issue is definitely a problem. I can easily reproduce it using (which looks up DNS like Let's Encrypt does).

Your base name works fine but the madison subdomain of that does not. You can try both names on unboundtest yourself to see the SERVFAIL

It also only fails using unbound 1.18 which was a recent change in Let's Encrypt servers. Using 1.16 gave a proper response.

The TL;DR is yes you need to contact Hover and have them fix the SERVFAIL. Even show them the unboundtest site.

I don't know DNS as well as others here (such as @rg305) but that domain fails at a
EDNS test site that we often use. This is likely the reason for the SERVFAIL