For reference, the zone file and named.conf entry of a working zone are:
Zone file:
$ORIGIN .
$TTL 900 ; 15 minutes
subdomain.example.org IN SOA ns.example.com. root.example.com. (
2018011425 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
21600 ; minimum (6 hours)
)
NS ns.example.com.
A x.x.x.x
AAAA 2001:x:x:1::1
Relevant named.conf entry:
zone "subdomain.example.org" IN {
type master;
file "pri/subdomain.example.org.zone";
update-policy {
grant certbot. zonesub TXT;
};
allow-query {
any;
};
};
And the credentials file, for reference:
dns_rfc2136_name = certbot
dns_rfc2136_algorithm = HMAC-SHA512
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_secret = xxx
Works like a charm, for the zone base domain name as wel as www subdomain.
Not sure if that's correctly copy/pasted, but it seems to be missing an underscore. Is this redirect because you're running the BIND instance Certbot is using runs on 192.254.233.86 instead of the authorative nameservers of your domain?
In any case, none of my dig attempts I found any NS delegation.. 