What DNS servers Let's Encrypt ACME-challenge use?

I'm trying to automate issuing and renewal of wildcard certificates for my domains using lego utility. I can't do this using certbot because there is no plugin available for my DNS provider (reg.ru). With lego, I can specify DNS resolvers, which will be checked before trying to validate created TXT record on _acme-challenge.. But I can't be sure that validation will pass, because I don't know exactly what DNS servers Let's Encrypt use to validate my TXT record. Now I use,, and servers to check the creation of TXT record, but it doesn't work every time. Sometimes I get an error No TXT record found at _acme-challenge.<mydomain>, despite the fact that the record was created in my DNS provider servers and I can see it in other DNS servers. So my question is which DNS servers I can use to ensure that TXT record was successfully created and I can start validation?

P.S.: I saw an opinion that Let's Encrypt making its own queries to the authoritative nameservers for the particular domain in question, but when I use ns1.reg.ru and ns2.reg.ru (reg.ru DNS servers) as a DNS resolvers to check record before validation, it also fails.

Welcome to the community @murtll

Without knowing the domain name there is not much we can say for this kind of problem.

But, yes, the DNS challenge will be validated using your authoritative name servers.

You can use this website to check your TXT records. It uses a method similar to the Let's Encrypt servers. For a TXT lookup be sure to enter the URL as: _acme-challenge.<mydomain>


Then there is your problem.
All authoritative nameservers must be able to validate the TXT record request.
Perhaps you simply need to allow more time for them to synchronize.


I'm pretty sure that's a fact - you can use https://unboundtest.com/ to test your DNS record query in a similar way to how Let's Encrypt does it.

Generally you do need to leave a minute or so with a lot of DNS hosts for the authoritative nameserver to sync. Most acme clients have an option to adjust for this wait time (or they poll the nameservers to test them).


Thanks for the response! Yes, I can use https://unboundtest.com/ when manually issuing certificate, but it won't help me in automation of the process.

Most acme clients have an option to adjust for this wait time (or they poll the nameservers to test them).

Yes, lego do poll the nameservers, once it got the right response, it will try to validate the record. Also I have set propagation timeout for 40 minutes.


@rg305 I think there is kind of misunderstanding. I use ns{1,2}.reg.ru as a servers to poll before starting validation, and they are responding with the right record, because lego is starting to try to validate the record with acme. But acme is responding that no record found.


Even now, I created TXT record for test.
Then waited for about half an hour, and did

dig TXT _acme-challenge.<mydomain> @ns1.reg.ru

I got the right answer and then tried to check with https://unboundtest.com/, but it responds with no TXT record.

UPD: my domain is dev.simple-customer.liis.su.
In the end of unbound logs I saw this:

Jul 06 09:38:35 unbound[817995:0] info: reply from <su.>
Jul 06 09:38:35 unbound[817995:0] info: query response was nodata ANSWER
Jul 06 09:38:35 unbound[817995:0] info: NSEC3s for the referral proved no DS.
Jul 06 09:38:35 unbound[817995:0] info: Verified that unsigned response is INSECURE

May the problem be caused by my top-level domain .su?

What level are you trying to get the wildcard for? Can you show exactly the name you use when checking the TXT record?

I cannot see a TXT record right now at any level for _acme-challenge.(domain)

Is there one there now that we should see?


I'm trying to get wildcard for *.dev.simple-customer.liis.su so TXT record creates on _acme-challenge.dev.simple-customer.liis.su.

Right now there are no TXT records, because lego creates the record only for passing acme challenge and then removes it in any case, on fail or success.

1 Like

Can you make a test record again so we can try seeing it?


Yes, sure.
I've created new record on _acme-challenge.dev.simple-customer which contains word "test".

Btw, I've successfully received new certificate by adding in list of DNS servers to poll before validation, because it's one of the servers that synchronize slowly. But I don't think it is really good solution for a long perspective, so if you can suggest any other solutions, it'll be very helpful.

What IP does your system use for ns1.reg.ru?

I see:

Name:      ns1.reg.ru
Addresses: 2a00:f940:4::47

My system use for ns1.reg.ru (checked with ping).

Let me make my point clearer:
You tested only one IP.
The name has eleven IPs.
It might be the case that each IP is a separate cluster member, and it takes time for all the members to synchronize.


Yes. And, another 11 IPs for ns2.reg.ru. Doesn't Let's Encrypt server randomly use either name?

That doesn't affect the lego checks of course just cert issuance.


Thank y'all, now I see my problem!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.