We acquire certificates for hosts in our domain, gnwkservices.com, using DNS-01. The domain has two NS RRs. ns1.gnwkservices.com and ns2.gnwkservices.com, however in order to reduce the risk of accidentally breaking the main zone file we have configured individual _acme-challenge.foo.gnwkservices.com zones which are used to handle ACME challenges - and these zones only declare one NS, ns1.gnwkservices.com.
Overall name resolution seems to work fine, querying a challenge zone from the root level always correctly directs the client to ns1.gnwkservices.com. Unfortunately when it comes to DNS-01, once in a while we get something along the lines of
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.comet.gnwkservices.com
instead, especially for hosts with many aliases. Having run a query trace on both ns1 and ns2, it would appear the problem is that ACME servers ignore the fact _acme-challenge domains are only provided by ns1 and attempt to distribute queries between ns1 and ns2.
A bug on the ACME-server side, perhaps?