DNS Challenge for Many Domains failes with CNAMEs

We use DNS-Validation, with CNAMEs on the Domains to acme.neusta-is.de, where we can add and delete TXT Records with a hook.
It works fine, but now it fails if there are for example 22 TXT-Records or more. Maybe with less, but I have no example for that at the moment.
Previously everything works fine up to around 70 TXT-Records.

If there are to many TXT-Records present, I got

  Domain: sachsen-tourismus.de
  Type:   unauthorized
  Detail: No TXT record found at sachsen-tourismus.de

for every Domain requested in the certificate.

Did something changed here?

1 Like

Hi @43n12y, and welcome to the LE community forum :slight_smile:

There are a couple of related topics recently opened.
Search results for 'unbound txt' - Let's Encrypt Community Support (letsencrypt.org)


Thanks for your reply. Don't know why I wasn't able to search it myself, maybe cause the year just started.
I could use your tip from here (DNS-01 challenge fails since unbound 1.18. TXT records can be fetch using unbound 1.16 but not 1.18 1.19 - #6 by rg305) as workaround.


It sounds like you've leveraged a bit of an anti-pattern here. You shouldn't have 70 or 22 txt records live.


Looks like they are a service provider and combine multiple domains on one cert. Were you thinking they just were not cleaning up obsolete TXT values?

Example: crt.sh | 10823447789

Update: Also see related thread with call-out to staff: DNS-01 challenge fails since unbound 1.18. TXT records can be fetch using unbound 1.16 but not 1.18 1.19 - #17 by petercooperjr


That (second bit) was my first thought, but then I reread and noticed the CNAME (and understood the first bit) and still thought it seemed to be an anti-pattern.

The consumption of TXT records has a long history of issues due to size. I know the recent unbound hiccup surfaced some new issues, but this has always been pretty fragile and this design pushes the limits a bit. It also complicates troubleshooting and cleanup. IMHO, every domain should CNAME onto it's own FQDN for TXT records - like the acme-dns model.


If only TXT records came with built-in expiration dates...


:+1: Considered dedicated CNAMES for each Domain as well. But until now we had no problems. I rethink that, cause it will complicate communication to the customer and the task for the customer to set DNS-entries.

It can be done in ways that don't complicate the messaging.

You could pre-assign each domain a unique code as part of your enrollment.

You can also use a templated naming system like: {DOMAIN}.acme.neusta-is.de

So your clients would be told to cname:

  • example.com -> example.com.acme.neusta-is.de
  • www.example.com -> www.example.com.acme.neusta-is.de

Then you just have a page on your account dashboard that shows what each domain must be cnamed onto, instead of a single cname for everything.


yeah, came to the same approach, thumbs up


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.