22 replies

Hidden TXT records interfere with LetsEncrypt DNS-01 validation

I have a very weird issue with "stale" or "hidden" TXT Records for one of the domains I have (running on free plan).

When I query _acme-challenge.example.com via 1.1.1.1 (Cloudflare’s resolver) I see records that are no longer present in my zone file: I can't see them via web.

Example query:

dig TXT _acme-challenge.example.com @1.1.1.1 +short

Returns:

"stale-record-1"
"stale-record-2"

In my zone _acme-challenge.example.com is configured as a CNAME to _acme-challenge.delegated.example.org and there are no other TXT records.

These unexpected TXT responses break validation, as Let’s Encrypt sees incorrect values and never follows the CNAME as expected.

I have tried to use: https://one.one.one.one/purge-cache/ but these TXT records still exist after using that tool.

I tried deleting them via API, but I can't see them on the listings, so I have no record_id to delete.

If I try to add the same record from the web I get this red popup at the bottom stating "An identical record already exists."

Any ideas?

Cloudflare Developers•8mo ago•

22 replies

nublaii

Hidden TXT records interfere with LetsEncrypt DNS-01 validation

Hidden TXT records interfere with LetsEncrypt DNS-01 validation

Similar Threads

Hidden TXT records interfere with LetsEncrypt DNS-01 validation

Similar Threads

Similar Threads

Similar Threads