DNS-01 TXT Record Not Propagating for RADIUS Certificate

I'm trying to issue a certificate for radius.vandyke.beds.sch.uk using the DNS-01 challenge via Win-ACME for use with a Ruckus RADIUS setup.

I've added the required TXT record:

  • Name: _acme-challenge.radius.vandyke.beds.sch.uk
  • Value: LVg79ZQHQpwnHzCcrxP7HaAk17E_-7YTU1VDNjNUxjs

The record appears correctly in our DNS manager, and it's been several hours since it was added. However, it's still not visible via public DNS tools like DNSChecker or dig, and the ACME challenge fails due to the record not being found.

We’ve confirmed:

  • The record is correctly formatted.
  • There are no extra quotes or typos.
  • It’s not a CNAME.
  • It’s not limited to internal DNS (as far as we can tell).

Has anyone experienced similar issues where a TXT record appears in the DNS manager but doesn’t propagate externally? Could this be a DNS provider issue or a TTL/configuration problem?

Any advice would be appreciated!

Which DNS manager? vandyke.beds.sch.uk is being managed by Cloudflare and the radius label doesn't seem to exist according to the Cloudflare nameservers, nor is the _acme-challenge.radius record.

1 Like

Hi, thanks for getting back to me.

Since this post I have spoken to our DNS provider who has said the TXT wont work as there is no radius.vandyke.beds.sch.uk.

He advised I started again and do a wildcard as there is only an a record for vandyke.beds.sch.uk.

So it is now acme-challenge.vandyke.beds.sch.uk. But it is still not propagating as you can see here:

The DNS provider is Oakford Technology Limited.

Any ideas?

No, it's not:

osiris@erazer ~ $ dig +trace _acme-challenge.vandyke.beds.sch.uk TXT

; <<>> DiG 9.18.29 <<>> +trace _acme-challenge.vandyke.beds.sch.uk TXT
;; global options: +cmd
.			38516	IN	NS	b.root-servers.net.
.			38516	IN	NS	c.root-servers.net.
.			38516	IN	NS	a.root-servers.net.
.			38516	IN	NS	g.root-servers.net.
.			38516	IN	NS	l.root-servers.net.
.			38516	IN	NS	d.root-servers.net.
.			38516	IN	NS	m.root-servers.net.
.			38516	IN	NS	h.root-servers.net.
.			38516	IN	NS	f.root-servers.net.
.			38516	IN	NS	k.root-servers.net.
.			38516	IN	NS	j.root-servers.net.
.			38516	IN	NS	i.root-servers.net.
.			38516	IN	NS	e.root-servers.net.
.			38516	IN	RRSIG	NS 8 0 518400 20250702190000 20250619180000 53148 . KS1AkqNyCvpSCg5p3UStTnOo58agrnGy6pc6FtopmjMf/k5pbJX+1RLI ubunm/QuaqQqm8GeViyW7BP2eEnOPhJWfQIJ4f5/TkVpX3VnISShnGpY QpKdIzFJkAmo33f1yYdpGd07ibYW+4mGoVQ+Rx5bkbdFDYMJJQnShYd+ WLa3g6SjO0pAAGRrU+zm8fodhttmM8ssVGfmHIKVrq0IXklPYgcXqpTY G75E3+tOktFR5MCVWiDHWFk8USmDHmtdpeiB/D5a+XNmWDJFzK8b3e9M 6CsVPp7BcWbjBsl3VykSQHJ64PhZ6qqlECgEAt2cdcq8guQCaEn8AfI8 o44RtA==
;; Received 525 bytes from 185.93.175.43#53(185.93.175.43) in 11 ms

uk.			172800	IN	NS	nsa.nic.uk.
uk.			172800	IN	NS	nsb.nic.uk.
uk.			172800	IN	NS	nsc.nic.uk.
uk.			172800	IN	NS	nsd.nic.uk.
uk.			172800	IN	NS	dns1.nic.uk.
uk.			172800	IN	NS	dns2.nic.uk.
uk.			172800	IN	NS	dns3.nic.uk.
uk.			172800	IN	NS	dns4.nic.uk.
uk.			86400	IN	DS	43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353 BC659603
uk.			86400	IN	RRSIG	DS 8 1 86400 20250703050000 20250620040000 53148 . DyntxaJ/48WUXKGk2msKjpZddVLFrxQeEFd+yrPNNl9r6FFTBYOUPS+R ymT/glUco5IJt+AYsPkBRF7vD4eOgJxUJuPnZQu0HMLDXEe8vxz0Arkn fEsCDlWlvVtg12LxLbHNYPwLxQbzefFkc+GTyCEXn1CDD8Ogbl4sv2SN rAbx+Pz/yLwIDwmp29Be6GBv++6FgwVraSIfEuwjCut5+Gk2h5uPpz41 p57mtn384jWkJCxXsA0jL3nlnKHNbrYr9dsK5R+reJP21lsmMIfLAWFY q/n8+tkkVuyY2LXaTfiwp1yWThXEueQAK1lQhQyYzB4l9YC0js8y6OSu 2VPhTA==
;; Received 903 bytes from 2801:1b8:10::b#53(b.root-servers.net) in 100 ms

vandyke.beds.sch.uk.	172800	IN	NS	desi.ns.cloudflare.com.
vandyke.beds.sch.uk.	172800	IN	NS	jacob.ns.cloudflare.com.
5C22CKSSQSNVVU7R1NF2LAEGM6HH43UH.sch.uk. 10800 IN NSEC3	1 1 0 - 5ID6GV5IPPBVK97TJ2QF298RRNB9F36G
5C22CKSSQSNVVU7R1NF2LAEGM6HH43UH.sch.uk. 10800 IN RRSIG	NSEC3 8 3 10800 20250722234142 20250617225638 10434 sch.uk. RUYkdGSW/f11uB+wSBnjOTVEYclY/fS2ZqP+lvTQ6lGzlXqBy/mQ7c/h FRkH37vn7QyplAzOCiCXpXWiO8HKwNAIh8+wUnBokoGekAJXvD3irwkm TPjmJZjZY/07u60aLseoW+lpbd/RuG/xwwiX3Bhi3zD11YdidC0B5TQ9 Bzo=
OKK4U7IMCBER21KC13DTQ4INLTJ53Q7I.sch.uk. 10800 IN NSEC3	1 1 0 - P0G4AA65TG885A10CSAQ3LO98U63QMMI
OKK4U7IMCBER21KC13DTQ4INLTJ53Q7I.sch.uk. 10800 IN RRSIG	NSEC3 8 3 10800 20250720154542 20250615154233 10434 sch.uk. Tkkh6T7Xw+q4VARfT9ICFdUIFrGkJlV/nnTzDnkTKrgaDMa4B+DsTJRG 5S5VEdFyjjL4vNVdLM0w3T4xnq0zjgbjvjbaIwo+ybnZtNdJRkCXLLxq qm+cHbb90dKfoCcgP0dqVxV9IZ3IsfyacXPfUOQ5HOFQMxgUotqFSKX2 yxQ=
;; Received 628 bytes from 156.154.103.3#53(nsd.nic.uk) in 10 ms

vandyke.beds.sch.uk.	1800	IN	SOA	desi.ns.cloudflare.com. dns.cloudflare.com. 2374502627 10000 2400 604800 1800
;; Received 126 bytes from 2803:f800:50::6ca2:c3a2#53(jacob.ns.cloudflare.com) in 23 ms

osiris@erazer ~ $ 

Notice the reply of nsd.nic.uk (one of the .uk. TLD nameservers) lists desi.ns.cloudflare.com. and jacob.ns.cloudflare.com. as the authorative nameservers for the vandyke.beds.sch.uk. zone? That's Cloudflare. Not Oakford Technology Limited.

So you somehow need to make sure the ACME challenge gets to those Cloudflare nameservers.

Removed the part about the email address.. It was in the .co.uk. zone and not .sch.uk... The .uk. TLD doesn't make it easier in that regard :stuck_out_tongue: .beds.sch.uk. vs. .cbeds.co.uk., who would have thought..

1 Like

Thank you for pointing this out! good spot. I have queried this with OakFord.

As for the other stuff, I was just resonding, then you removed it!!

Yeah, I was incorrect, misread the hostname.. Complicated TLD, that .uk. :stuck_out_tongue:

Yeah, thats the domain for their Microsoft, they have another domain for their google!!

DNS challenges change for every order (or new attempt) so the simplest way to complete a DNS challenge is to automate the update to DNS.

For Cloudflare that requires the tool you are using to have a plugin/provider for Cloudflare and for you to get an API key that can be used to update that DNS zone in public DNS (not internally).

DNS propagation (waiting for 3rd party caching to catch up with your primary nameserver) is not relevant to ACME challenges or Let's Encrypt, because Let's Encrypt looks at your primary nameservers, not a cache.

You can create a test _acme-challenge.radius TXT record in your vandyke.beds.sch.uk zone then check it using:

Note that the service you are intending to use the certificate with is unimportant for the purposes of acquiring the certificate and with DNS challenges you can even get certs for completely made up things like certificatesarefun.vandyke.beds.sch.uk.

They do not need to appear in DNS already and do not need to a real service, you just have to be able to publish a public _acme-challenge.certificatesarefun TXT record with the challenge response value.

Here is a Cloudflare guide for Certify The Web which has some transferable info for any ACME client: Cloudflare DNS | Certify The Web Docs

1 Like