nsupdate creates a jnl file and the dns rfc2136 authenticator uses nsupdate according to sydneyli at github.
It does not comitt to the zone so the TXT entries never happen into the zone. I can using a terminal window flush the waiting jnl file while certbot is waiting for propagation
I am running my own nameserver with glue records to public ips and using Google public servers 8.8.8.8 and 8.8.4.4 as resolvers in the /etc/resolv.conf file. This is Centos7 on an Open VZ platform with BIND 9.9.4. The link in the OP ( https://github.com/certbot/certbot/issues/6322 ) shows the config and more details on what is going wrong
If I do not use a separate zone file I get a “no SOA response” error and it replaces all my subdomain setups (subdomain.mydomain.com) in the zone file with $ORIGIN - and in essence trashes the zone file