We probably won’t disable capsforid - we’ve been running with it for three years now, and while it’s occasionally unearthed some resolvers that break, it’s been rare, and most of them have been willing to roll out fixes. It seems like in this case, it was actually the rollout of our edns-buffer-size: 512 change that triggered this bug in Unbound. If anything we might consider increasing that somewhat to a number that is still lower than most Internet path MTUs, but it’s not immediately clear to me that this issue warrants that.
My understanding is that even before CommunityDNS rolled out their change, this was an intermittent error, so one attempt might fail but the next attempt might succeed. In a typical setup with renewal attempts starting at 30 days and retrying twice a day, I would expect that the vast majority of renewals would eventually succeed. Do you have any examples of certificates that are consistently failing renewal?
The validation logs from Boulder show a pretty typical base rate of SERVFAILs related to domains ending in “.be” over the last 14 days – about 5 per hour.