We acquire certificates for hosts in our domain, gnwkservices.com, using DNS-01. The domain has two NS RRs. ns1.gnwkservices.com and ns2.gnwkservices.com, however in order to reduce the risk of accidentally breaking the main zone file we have configured individual _acme-challenge.foo.gnwkservices.com zones which are used to handle ACME challenges - and these zones only declare one NS, ns1.gnwkservices.com.
Overall name resolution seems to work fine, querying a challenge zone from the root level always correctly directs the client to ns1.gnwkservices.com. Unfortunately when it comes to DNS-01, once in a while we get something along the lines of
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.comet.gnwkservices.com
instead, especially for hosts with many aliases. Having run a query trace on both ns1 and ns2, it would appear the problem is that ACME servers ignore the fact _acme-challenge domains are only provided by ns1 and attempt to distribute queries between ns1 and ns2.
There’s also a mismatch in the nameserver set that the registry knows about vs. what your nameservers know about, as well as a glue problem. These are not the cause for your current problem, but you might want to fix them anyway.
Generally, all nameservers that are the target of a delegation must serve the same zone contents. In your case, .com delegates gnwkservices.com to your two nameservers, so they must serve the same zone, including any further delegations. You’re free to delegate sublabels to a single nameserver, but that delegation must exist in all nameservers that are responsible for gnwkservices.com.