I also had this problem, and solved it by upgrading to BIND 9.10.
The problem was that in BIND ≤ 9.9, the way to implement split DNS was to define an internal view and an external view in named.conf, each incorporating some zones:
view "internal" {
match-clients { … };
zone "private.example.org" { … };
};
view "external" {
match-clients { … };
zone "private.example.org" { … };
zone "example.org" { … };
};
The problem is, BIND does not necessarily serve consistent responses for example.org through both views. Even though I make a query (through the internal view) to verify that the correct TXT record is in place before proceeding with the ACME challenge, the wrong response could still be served through the external view.
One workaround is to use, say, Google’s 8.8.8.8 DNS server when looking for the TXT record, so that the verification is done on the external view.
A better solution is to upgrade to BIND 9.10, which supports the in-view directive, so that both views refer to the same zone definition.
view "internal" {
match-clients { … };
zone "private.example.org" { … };
};
view "external" {
match-clients { … };
zone "private.example.org" { in-view "internal" };
zone "example.org" { … };
};