Need assistance clearing stale DNS delegation data for DNS-01 validation

Help
1

Hello Let’s Encrypt Community,

I need assistance with a DNS-01 validation issue related to an OpenShift/MAS deployment in production.

Previously, the client configured a private hosted zone in Cloudflare for the sub-domain used for certificate issuance. That zone has since been deleted, but Let’s Encrypt still appears to be attempting DNS-01 validation against the old (now non-existent) nameservers. As a result, ACME challenges continue to fail with errors indicating that the previous NS delegation is still being referenced.

Here is the issue:

  1. The private hosted zone and its NS records were completely removed in Cloudflare several weeks ago.
  2. Public DNS resolvers still seem to return either REFUSED responses or outdated data for the _acme-challenge records.
  3. cert-manager logs show the validation failing due to Let’s Encrypt attempting to query the previous NS delegation.
  4. I cannot proceed with creating a new public hosted zone and delegating it properly until Let’s Encrypt stops referencing the old zone data.

Request:
Is it possible for Let’s Encrypt to clear or “forget” the stale DNS delegation information associated with the domain so that new, correct NS records can be recognized during the next validation attempt?

I have full control of the domain and will configure a proper public hosted zone with valid NS delegation once the cached data is flushed.

Any guidance or steps from the Let’s Encrypt team or community would be greatly appreciated.

Thank you.

2

Let's Encrypt follows the delegations to your authoritative DNS servers directly from the root and TLD DNS servers. There's nothing to "clear", and nothing used is "stale". If it's not right, then you need to have your registrar fix the DNS servers and/or glue records that the TLD DNS servers are using.

That's backwards: Once you configure a proper public hosted zone with valid NS delegation, then you will have full control of the domain.

4 Likes