DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation
failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205
I like the way of seperating the zone in static and dynamic part.
An error occurred while attempting to lookup the TXT record on _acme-challenge.systron.de . Any resolver errors that the Let’s Encrypt CA encounters on this record will cause certificate issuance to fail.
DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205
Exactly. For certificate authorities, not issuing certificates that shouldn't be issued is even more important than issuing certificates that should be issued. (That's ultimately what makes the certificates useful to the end users who visit sites.) So Let's Encrypt wants to use every source of information that can be checked automatically by machine that might help confirm whether the domain owner agrees with each certificate issuance request. DNSSEC is one source of information that can help confirm this, and in some cases help prevent the issuance of certificates that the domain owner didn't want.