From the log it looks like the DNS update of the CNAME for delegated challenge response is ok
2025-04-23 16:42:20,587:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for
...
...
+ cnamecheck='_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.'
+ '[' '_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.' '!=' '_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.' ']'
+ echo 'update add nasm.zytor.com.acme.zytor.com. 60 IN TXT "XcWye8h4JQu1xG0tqBoBfYdaaelb07hOKesZejDSp6A"'
...
...
However the challenge is then submitted to Let's Encrypt for validation very quickly afterwards:
2025-04-23 16:42:20,618:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/32050082/510167090007/adC6yg:
DNS TTL values don't generally matter for DNS validation because Let's Encrypt is directly checking the authoritative name servers, however you do still need to allow enough time for all of your responding nameservers to give the same answer and currently it's submitting the challenge response within 100ms. You need at delay of at least 30 seconds from updating DNS to asking LE to verify (up to 5 mins for some DNS systems).
So if you are using the dns-rfc2136 plugin then the option is like --dns-rfc2136-propagation-seconds 30 as per Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation