If CAA lookup failed more than once and we can prove that there is no valid DNSSEC chain, we should be allowed to issue.
CAs are permitted to treat a record lookup failure as permission to issue if:
• the failure is outside the CA's infrastructure;
• the lookup has been retried at least once; and
• the domain's zone does not have a DNSSEC validation chain to the ICANN root.
See Baseline Requirements 18.104.22.168