-We, as a CA, need to conform to CA/Browser Forum requirements.
As of early Sept 2017, we CAs are REQUIRED to check for the existence of CAA record(s) against a given public registrable dnsName (e.g. bob.test.example.net)
and we will need to follow CNAME & DNAME, if broadcasted within DNS. Additionally,
We need to validate DNSSEC signatures within all levels of the requested dnsName. (RFC6844, for reference; https://tools.ietf.org/html/rfc6844)

• -We have to check for the existence of CAA records at all levels AND validate DNSSEC signatures on top of following all C & DNAMES
• -A zone can be unsigned That won't matter
• -Additionally, if we do not receive a response, from their systems, in 2 seconds, we timeout.
• -Please fix the DNSSEC issues on those domains and we will be able to issue your certificate

Please see (include links to verisign DNSSEC checker)
https://dnssec-debugger.verisignlabs.com/

another link can help troubleshoot the issue with DNSSEC
http://dnsviz.net

Thank you