DNS-01 Timed out waiting for record to propagate

Greetings- I've been using Caddy to provide automated SSL/TLS certs for quite some time. I use the PowerDNS plugin for DNS auth via API and this has always worked perfectly. Recently, this stopped working. I've verified the record is still created in PowerDNS and is sent to all nameservers via expected zone transfers almost immediately. However, the record is never validated/authenticated and the cert issuance fails. Logs:

Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.2062278,"logger":"tls.obtain","msg":"acquiring lock","identifier":"mx1.fudnet.net"}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.2067015,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/caddy/.local/share/caddy"}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.2069514,"logger":"tls","msg":"finished cleaning storage units"}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.2078485,"logger":"tls.obtain","msg":"lock acquired","identifier":"mx1.fudnet.net"}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.2081738,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"mx1.fudnet.net"}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.479262,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["mx1.fudnet.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.4793954,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["mx1.fudnet.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Apr 17 14:30:29 mx1.fudnet.net caddy[880019]: {"level":"info","ts":1744900229.7597547,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mx1.fudnet.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Apr 17 14:32:32 mx1.fudnet.net caddy[880019]: {"level":"error","ts":1744900352.3660495,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"mx1.fudnet.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[mx1.fudnet.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/2346917157/375133936067) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

The root issue appears to be a timeout waiting for the records to fully propagate. However, I've got a quick shell script that uses 'dig' in near realtime to pull the validation records and they show up on all nameservers almost instantaneously.

I'm unable to determine how or why validation is failing when the records are indeed present on all nameservers.

Ideas/thoughts?

I should also note, this configuration has worked for multiple years and suddenly stopped working. I have other Caddy instances that talk to the same nameservers and they have no issues with certificate renewals.

Have you already asked for support on the Caddy support channels? Because this doesn't seem to be a Let's Encrypt issue: the validation is never even triggered. You might get more responses at a Caddy support channel.

Just to highlight what @osiris is talking about above:

That is a Go error in Caddy, and raised during the DNS pre-check before the AcmeChallenge is triggered.

I would check the version and config files of Caddy on that machine, and compare it to the others. It could also be an ephemeral networking issue. Other than that, asking for help via Caddy support is your best option.

If the problem is just with the Caddy pre-checks, it looks like you can increase propagation_timeout or set it to -1 to disable. Though it may be worthwhile trying to understand why it can't check DNS itself, you may be just seeing one symptom of a bigger problem.