DNS is a geographically distributed database whose servers are divided into recursive (readers) and authoritative (writers). When you add LE’s RR TXT to your dns zone on your authoritative server, you are “writing” into the global dns. The actual writing on all servers is indirect and time consuming, as the servers read and cache at their own time. There is a hierarchy. First comes your authoritative dns, the only one authorized to write your zone. Then come your caching slaves, the only one authorised to propagate further. Finally, the rest of the global servers, who can only cache your original zone. Again, this takes time. When LE uses a recursive dns to read your fresh acme RR, LE will not find it, and thus fails the challenge verification. This is utterly frustrating. To speed up the acme verification, LE can avoid using slow recursive dnss, and query the authoritative (master) server directly. For example, to find the server you can do this:
unbound-host -rvD -tNS $fqdn
If the answer is secure (dnssec), then you select the dns with lowest priority, say ns0.$fqdn.
You query ns0.$fqdn for the acme RR TXT, which is up to date, because you queried the authoritative dns, with no need to waste time waiting for the global dns cache.