Thanks to W.C.A Wijngaards for the very helpful reply on my last question, about DNSSEC, empty responses, and use-caps-for-id. We discovered a bug in PowerDNS (https://community.letsencrypt.org/t/caa-servfail-changes/38298/2), which happily was fixed in the 4.0.4 release in June.
I have another question related to SERVFAIL. Let's Encrypt tries to provide the most useful error messages possible to its users. My understanding is that a SERVFAIL response could indicate a variety of problems, including "DNSSEC validation failed," "a remote resolver failed," and "Unbound failed." Is there any way for us to distinguish the DNSSEC validation failure from the other cases, so we can provide that in a detailed error message to our users? Thanks, Jacob
