We're using cert-manager v1.11.1 to issue certificates via DNS-01 for a number of hosts in the stibo.dk domain, reissuing existing certificates and issuing new certificates works perfectly, but for a select few issuance fails with:
E0525 11:42:54.803799 1 sync.go:379] cert-manager/challenges/acceptChallenge "msg"="error waiting for authorization" "error"="acme: authorization error for asciinema.stibo.dk: 400 urn:ietf:params:acme:error:dns: DNS problem: SERVFAIL looking up CAA for asciinema.stibo.dk - the domain's nameservers may be malfunctioning" "dnsName"="asciinema.stibo.dk" "resource_kind"="Challenge" "resource_name"="asciinema.stibo.dk-tmv5j-3528835467-1941497609" "resource_namespace"="asciinema" "resource_version"="v1" "type"="DNS-01"
The above error doesn't show up for other similar (and working) certificates of the same zone.
You're looking at the CAA record for stibo.dk, but the error is for the full name (which it has to check first): SERVFAIL looking up CAA for asciinema.stibo.dk
You don't need a CAA record for the full name, but if you don't have one the DNS server needs to correctly respond NOERROR (that there are no records) instead of giving an error.
For what it's worth, I see a SERVFAIL trying to request an A or AAAA record for the asciinema.stibo.dk name as well.
That may not be necessary; As LE will only use the authoritative DNS servers.
That said, I would prefer that you "test" this out using the staging system [first].
As it happened it wasn't DNS caches that needed timing out, but simply the back-off of cert-manager itself that needed to time out and renew all the problematic certificates.
All's well again, thank you for reading the log file for me:)