Hello deSEC Team,
I am experiencing a reproducible issue when obtaining Let’s Encrypt certificates via ACME DNS-01 using a deSEC-managed zone.
Environment
-
DNS provider: deSEC
-
Domain:
example.com -
ACME clients tested:
-
Caddy 2.11.4 (
caddy-dns/desecv1.1.0) -
lego
-
The issue occurs with both clients, so it does not appear to be specific to Caddy.
Observed behaviour
Both ACME clients successfully create the TXT record via the deSEC API.
However, the two authoritative nameservers appear to become inconsistent for some time afterward.
Immediately after the TXT record is created:
dig @ns1.desec.io TXT _acme-challenge.immich.nas.example.com +short
returns the expected challenge token, whereas
dig @ns2.desec.org TXT _acme-challenge.immich.nas.example.com +short
returns no record (NXDOMAIN).
Because lego verifies propagation against the authoritative nameservers before proceeding, it eventually fails with:
NS ns2.desec.org. returned NXDOMAIN for _acme-challenge.immich.nas.example.com
Second ACME attempt
If I immediately retry the certificate request, the behavior changes:
-
ns1.desec.ioalready serves the new challenge token. -
ns2.desec.orgnow serves the previous challenge token.
Let’s Encrypt then fails with:
During secondary validation:
Incorrect TXT record "<old token>" found at
_acme-challenge.immich.nas.example.com
This behavior is reproducible.
Conclusion
It appears that TXT record updates become visible on ns1.desec.io significantly earlier than on ns2.desec.org.
During ACME DNS-01 validation, this results in inconsistent answers from the authoritative nameservers:
-
First attempt:
-
ns1.desec.io→ new token -
ns2.desec.org→ NXDOMAIN
-
-
Second attempt:
-
ns1.desec.io→ new token -
ns2.desec.org→ previous token
-
Since the issue can be reproduced with both Caddy and lego, it does not appear to be client-specific.
Could you please investigate whether there is a replication or synchronization delay between the authoritative nameservers?
Thank you very much in advance.
Best regards,
Philip