Hi rg305, thanks for taking a look.
It seems the IPv6 address is not gone.
The IPv6 answer has been removed from the name servers already. I don't see them when querying the name servers directly. Are they being cached by LetsEncrypt? It's not clear to us why the challenges are still resolving to these alternate addresses.
I've watched the records change from an AAAA that resolved to an IPv6 address, to now the cname, i.e.
nslookup -query=AAAA dan.bfp.com ns2.dan.com
Server: ns2.dan.com
Address: 3.120.163.96#53
dan.bfp.com canonical name = 1.dan.bodis.com
This was done a while ago, it seems almost as if they're still cached? Or I'm trying to issue an https certificate on a subdomain and there might be an certificate on the apex domain, could that be an issue?