Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Detail: DNS problem: SERVFAIL looking up CAA for - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
In my case, it was a network fluke. A subsequent certbot renew on the www domain worked fine a 2nd time around.