The record appears correctly in our DNS manager, and it's been several hours since it was added. However, it's still not visible via public DNS tools like DNSChecker or dig, and the ACME challenge fails due to the record not being found.
We’ve confirmed:
The record is correctly formatted.
There are no extra quotes or typos.
It’s not a CNAME.
It’s not limited to internal DNS (as far as we can tell).
Has anyone experienced similar issues where a TXT record appears in the DNS manager but doesn’t propagate externally? Could this be a DNS provider issue or a TTL/configuration problem?
Which DNS manager? vandyke.beds.sch.uk is being managed by Cloudflare and the radius label doesn't seem to exist according to the Cloudflare nameservers, nor is the _acme-challenge.radius record.
osiris@erazer ~ $ dig +trace _acme-challenge.vandyke.beds.sch.uk TXT
; <<>> DiG 9.18.29 <<>> +trace _acme-challenge.vandyke.beds.sch.uk TXT
;; global options: +cmd
. 38516 IN NS b.root-servers.net.
. 38516 IN NS c.root-servers.net.
. 38516 IN NS a.root-servers.net.
. 38516 IN NS g.root-servers.net.
. 38516 IN NS l.root-servers.net.
. 38516 IN NS d.root-servers.net.
. 38516 IN NS m.root-servers.net.
. 38516 IN NS h.root-servers.net.
. 38516 IN NS f.root-servers.net.
. 38516 IN NS k.root-servers.net.
. 38516 IN NS j.root-servers.net.
. 38516 IN NS i.root-servers.net.
. 38516 IN NS e.root-servers.net.
. 38516 IN RRSIG NS 8 0 518400 20250702190000 20250619180000 53148 . KS1AkqNyCvpSCg5p3UStTnOo58agrnGy6pc6FtopmjMf/k5pbJX+1RLI ubunm/QuaqQqm8GeViyW7BP2eEnOPhJWfQIJ4f5/TkVpX3VnISShnGpY QpKdIzFJkAmo33f1yYdpGd07ibYW+4mGoVQ+Rx5bkbdFDYMJJQnShYd+ WLa3g6SjO0pAAGRrU+zm8fodhttmM8ssVGfmHIKVrq0IXklPYgcXqpTY G75E3+tOktFR5MCVWiDHWFk8USmDHmtdpeiB/D5a+XNmWDJFzK8b3e9M 6CsVPp7BcWbjBsl3VykSQHJ64PhZ6qqlECgEAt2cdcq8guQCaEn8AfI8 o44RtA==
;; Received 525 bytes from 185.93.175.43#53(185.93.175.43) in 11 ms
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS dns1.nic.uk.
uk. 172800 IN NS dns2.nic.uk.
uk. 172800 IN NS dns3.nic.uk.
uk. 172800 IN NS dns4.nic.uk.
uk. 86400 IN DS 43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353 BC659603
uk. 86400 IN RRSIG DS 8 1 86400 20250703050000 20250620040000 53148 . DyntxaJ/48WUXKGk2msKjpZddVLFrxQeEFd+yrPNNl9r6FFTBYOUPS+R ymT/glUco5IJt+AYsPkBRF7vD4eOgJxUJuPnZQu0HMLDXEe8vxz0Arkn fEsCDlWlvVtg12LxLbHNYPwLxQbzefFkc+GTyCEXn1CDD8Ogbl4sv2SN rAbx+Pz/yLwIDwmp29Be6GBv++6FgwVraSIfEuwjCut5+Gk2h5uPpz41 p57mtn384jWkJCxXsA0jL3nlnKHNbrYr9dsK5R+reJP21lsmMIfLAWFY q/n8+tkkVuyY2LXaTfiwp1yWThXEueQAK1lQhQyYzB4l9YC0js8y6OSu 2VPhTA==
;; Received 903 bytes from 2801:1b8:10::b#53(b.root-servers.net) in 100 ms
vandyke.beds.sch.uk. 172800 IN NS desi.ns.cloudflare.com.
vandyke.beds.sch.uk. 172800 IN NS jacob.ns.cloudflare.com.
5C22CKSSQSNVVU7R1NF2LAEGM6HH43UH.sch.uk. 10800 IN NSEC3 1 1 0 - 5ID6GV5IPPBVK97TJ2QF298RRNB9F36G
5C22CKSSQSNVVU7R1NF2LAEGM6HH43UH.sch.uk. 10800 IN RRSIG NSEC3 8 3 10800 20250722234142 20250617225638 10434 sch.uk. RUYkdGSW/f11uB+wSBnjOTVEYclY/fS2ZqP+lvTQ6lGzlXqBy/mQ7c/h FRkH37vn7QyplAzOCiCXpXWiO8HKwNAIh8+wUnBokoGekAJXvD3irwkm TPjmJZjZY/07u60aLseoW+lpbd/RuG/xwwiX3Bhi3zD11YdidC0B5TQ9 Bzo=
OKK4U7IMCBER21KC13DTQ4INLTJ53Q7I.sch.uk. 10800 IN NSEC3 1 1 0 - P0G4AA65TG885A10CSAQ3LO98U63QMMI
OKK4U7IMCBER21KC13DTQ4INLTJ53Q7I.sch.uk. 10800 IN RRSIG NSEC3 8 3 10800 20250720154542 20250615154233 10434 sch.uk. Tkkh6T7Xw+q4VARfT9ICFdUIFrGkJlV/nnTzDnkTKrgaDMa4B+DsTJRG 5S5VEdFyjjL4vNVdLM0w3T4xnq0zjgbjvjbaIwo+ybnZtNdJRkCXLLxq qm+cHbb90dKfoCcgP0dqVxV9IZ3IsfyacXPfUOQ5HOFQMxgUotqFSKX2 yxQ=
;; Received 628 bytes from 156.154.103.3#53(nsd.nic.uk) in 10 ms
vandyke.beds.sch.uk. 1800 IN SOA desi.ns.cloudflare.com. dns.cloudflare.com. 2374502627 10000 2400 604800 1800
;; Received 126 bytes from 2803:f800:50::6ca2:c3a2#53(jacob.ns.cloudflare.com) in 23 ms
osiris@erazer ~ $
Notice the reply of nsd.nic.uk (one of the .uk. TLD nameservers) lists desi.ns.cloudflare.com. and jacob.ns.cloudflare.com. as the authorative nameservers for the vandyke.beds.sch.uk. zone? That's Cloudflare. Not Oakford Technology Limited.
So you somehow need to make sure the ACME challenge gets to those Cloudflare nameservers.
Removed the part about the email address.. It was in the .co.uk. zone and not .sch.uk... The .uk. TLD doesn't make it easier in that regard .beds.sch.uk. vs. .cbeds.co.uk., who would have thought..
DNS challenges change for every order (or new attempt) so the simplest way to complete a DNS challenge is to automate the update to DNS.
For Cloudflare that requires the tool you are using to have a plugin/provider for Cloudflare and for you to get an API key that can be used to update that DNS zone in public DNS (not internally).
DNS propagation (waiting for 3rd party caching to catch up with your primary nameserver) is not relevant to ACME challenges or Let's Encrypt, because Let's Encrypt looks at your primary nameservers, not a cache.
You can create a test _acme-challenge.radius TXT record in your vandyke.beds.sch.uk zone then check it using:
Note that the service you are intending to use the certificate with is unimportant for the purposes of acquiring the certificate and with DNS challenges you can even get certs for completely made up things like certificatesarefun.vandyke.beds.sch.uk.
They do not need to appear in DNS already and do not need to a real service, you just have to be able to publish a public _acme-challenge.certificatesarefun TXT record with the challenge response value.
