-We, as a CA, need to conform to CA/Browser Forum requirements.
As of early Sept 2017, we CAs are REQUIRED to check for the existence of CAA record(s) against a given public registrable dnsName (e.g. bob.test.example.net)
and we will need to follow CNAME & DNAME, if broadcasted within DNS. Additionally,
We need to validate DNSSEC signatures within all levels of the requested dnsName. (RFC6844, for reference; https://tools.ietf.org/html/rfc6844)
Please see (include links to verisign DNSSEC checker)
another link can help troubleshoot the issue with DNSSEC