From my understanding of Boulder, the latter. The CAA lookup appears to just be a generic opaque DNS error from the 3rd-party library. Shouldn't there be a test case to ensure we continue to generate this same error during these outages? The concern is a version bump of the 3rd party library could handle this error differently, and the test suite wouldn't pick that up.