Well that’s an unfortunate downside to the recently required CAA records.
CAA records specify restrictions on which certificate authorities are permitted to issue certificates for a particular domain. We do not publish CAA records in the DNS for cam.ac.uk, so we mistakenly believed that this change in policy would not affect us.
However, names under private.cam.ac.uk cannot be resolved on the public Internet outside the CUDN, so certificate authorities are not able to successfully complete CAA checks for private.cam.ac.uk. The CAA specification RFC 6844 is not entirely clear about what certificate authorities should do in this situation, but refusing to issue a certificate is a sensible reaction, albeit not what we expected.