_acme-challenge fails with NXDOMAIN with own nameservers using powerdns

Hi I am trying to do dns challenge with powerdns. To make debugging more easily (after I didnt get it to work with automated tools talking to the powerdns api) I am now doing it on the staging server with manually entering the txt into powerdns

My domain is: fluxnet.nl (but any other domain that I have pointed at my nameserver has same problem)

I ran this command: certbot certonly --manual --preferred-challenges dns --debug-challenges -d *.fluxnet.nl -d fluxnet.nl --server=https://acme-staging-v02.api.letsencrypt.org/directory

It produced this output:

 - The following errors were reported by the server:

   Domain: fluxnet.nl
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.fluxnet.nl - check that a DNS record exists for
   this domain

   Domain: fluxnet.nl
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.fluxnet.nl - check that a DNS record exists for
   this domain

My nameserver is running at ns.boerman.at. I can see the TXT being responded when querying it with dig directly.

I am running certbot 1.11.0

I think I did something wrong in setting up my nameserver but I cant think of anything else to try after fixing the following things (on top of normal install):

  • making sure my SOA record is valid
  • having my nameserver also respond on ipv6
  • having both my primary (ns.boerman.at) and secundary server (ns0.transip.net configured as a slave) as NS records

A records etc work just fine and I can see the challenge in TXT when using dig. Anybody have any good ideas? Thanks!

Hi @fboerman


Your command has two domain names, the main domain and the wildcard.

So two TXT entries are required - with the same domain name _acme-challenge.fluxnet.nl and different values.

Your check - https://check-your-website.server-daten.de/?q=fluxnet.nl - looks ok, but there is no TXT entry.

Start Certbot with --debug-challenges, create both TXT entries, run the online check again to see, if both values are visible. If yes -> next step.

Hi! thanks for taking the time to help me.

by using pdns-admin interface. With the dig cli I then query my nameserver to check if both records show up. I know there needs to be 2 with both _acme-challenge as name (this worked with my registrar flawelessly, the only different thing im doing now is running powerdns)

I did with debug-challenges, I verified that I saw the correct txt records with:
dig _acme-challenge.fluxnet.nl txt @ns.boerman.at and
dig _acme-challenge.fluxnet.nl txt @

I then checked your link, and waited for the txt to show up there. when all that was done I pressed enter in certbot to submit to CA and still I got the NXDOMAIN error :frowning: I kept the txt records up so you can see it yourself

I see the records - but only if I check ns.boerman.at.

Not with 2a01:7c8:dddd:195::195 or, the ip addresses of your second ns0.transip.net.

So the transfer primary ns -> secondary doesn't work.

That's fatal, because Unbound (used by Letsencrypt) checks two name servers.

1 Like

Agreed: Their SOA records don't match.
Even now they show:

dig fluxnet.nl soa @ns0.transip.net
fluxnet.nl. 3600 IN SOA ns.boerman.at. hostmaster.boerman.at. 2021013031 10800 3600 604800 3600

dig fluxnet.nl soa @ns.boerman.at
fluxnet.nl. 3600 IN SOA ns.boerman.at. hostmaster.boerman.at. 2021013032 10800 3600 604800 3600

It seems the sync time between your two nameservers is a lot longer that you would like or are expecting.

thanks @JuergenAuer and @rg305 yes I think they sync ones every hour. I thought that LE will check the primary server and not the secondary (or both but will find the txt) I now realize that there is no real distinction between the two. I thought that since cloudflare picked them up LE would too. I am a bit of a beginner with the intracacies of advanced dns (hence this experiment to learn more)

I have reread the SOA specifications and I seem to have a long REFRESH parameter. Which explains why my secondairy takes a while to pick up the txt

what do you propose the best solution for this? very short refresh parameter? are there downsides to this? is there a better solution (can you say for example to only refresh txt, or is there a push system?)

1 Like
  • Wait longer than the longest sync time or learn how to sync DNS properly [LOL]
  • Configure the servers to "push" and "pull" changes.

No, that will just make the secondary DNS ask "are we there yet?" over and over all day and night [even while the car is parked]

Yes, again, read and learn more about DNS best practices.

Better solution: Yes
"Push" system: Yes - there are ways to "notify" zone record changes.

How the two DNS servers "interact" depends greatly on how the admins chose to allow them to speak to each other. You would need to educate yourself on the possible options and then speak to whomever controls "ns0.transip.net" about available options.
Then you can make an educated decision about which available option is best for your situation.

If you have configured your master as master=yes and your slave as slave=yes and have configured the axfr directives correctly when the zone changes on your master it should send a notification to the slave and it should start the AXFR process to retrieve the modified zone.

You should review your conf in both servers.

You could also use this command on slave server to force retrieving your modified zone:

pdns_control retrieve fluxnet.nl

And if it works you could put it on a cron job but I can't recommend it, it is much better to configure both servers correctly so any modification in the master notifies to the slave.


@rg305 thank you for the clear explanation
@sahsanu I do not control the second server. Its a free service provided by my registrar. Unfortiantly they do not support NOTIFY requests. I dont really want to pay for a second vps so im now looking at a free google cloud small compute thing to host a simple second powerdns setup to act as slave. Thanks for your explanation!


If that free service doesn't accept notifications, have a look at: ClouDNS.net
They provide free globally accessible systems that can be setup as needed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.