Hidden TXT records interfere with LetsEncrypt DNS-01 validation

I have a very weird issue with "stale" or "hidden" TXT Records for one of the domains I have (running on free plan).

When I query _acme-challenge.example.com via 1.1.1.1 (Cloudflare’s resolver) I see records that are no longer present in my zone file: I can't see them via web.

Example query:

dig TXT _acme-challenge.example.com @1.1.1.1 +short

Returns:

"stale-record-1"
"stale-record-2"

In my zone _acme-challenge.example.com is configured as a CNAME to _acme-challenge.delegated.example.org and there are no other TXT records.

These unexpected TXT responses break validation, as Let’s Encrypt sees incorrect values and never follows the CNAME as expected.

I have tried to use: https://one.one.one.one/purge-cache/ but these TXT records still exist after using that tool.

I tried deleting them via API, but I can't see them on the listings, so I have no record_id to delete.

If I try to add the same record from the web I get this red popup at the bottom stating "An identical record already exists."

Any ideas?

Nnublaii I have a very weird issue with "stale" or "hidden" TXT Records for one of the do...

DarkDeviL•7/10/25, 1:03 PM

I have tried to use: https://one.one.one.one/purge-cache/ but these TXT records still exist after using that tool.

This tool has nothing to do with your authoritative DNS records (in Cloudflare).

As long as the DNS records still exist on the authoritative DNS, they will re-appear again on the next DNS query through

1.1.1.1

1.1.1.1

(or any other recursive DNS / DNS resolver).

1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Reso...

Browse a faster, more private internet.

DarkDeviL•7/10/25, 1:03 PM

If you're still having issues, -

What domain?
What do you see under "Edge Certificates
Edge Certificates
"?
-> https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

nublaiiOP•7/14/25, 7:28 AM

Hi there, thanks for answering:

The domain is epneumann.edu.pe (_acme-challenge.epneumann.edu.pe is the one with the problem)
I didn't know that existed... There were 2 certificates built, the main one and a backup. I have disabled it at the bottom and now I don't have any certificates there. I am only using CF for DNS

nublaiiOP•7/14/25, 7:28 AM

nublaiiOP•7/14/25, 7:30 AM

This is all I have on the panel for DNS records (the filter is _acme-challenge)

Nnublaii Hi there, thanks for answering: 1. The domain is epneumann.edu.pe (_acme-challen...

DarkDeviL•7/17/25, 10:03 AM

Yep, the "_acme-challenge
_acme-challenge
" can be a bit strange to play around with at times.
Universal SSL (which is enabled by default) will generate a wildcard certificate (
```
example.com
```
```
example.com
```
and
```
*.example.com
```
```
*.example.com
```
) for you.

In order to generate the wildcard part of the certificate (

*.example.com

*.example.com

), various certificate authorities, such as e.g. Let's Encrypt will require the domain validation is being done via DNS, with the _acme-challenge
_acme-challenge
DNS record.

Universal SSL will be adding the required TXT
TXT
records, on _acme-challenge
_acme-challenge
automatically, once in a while, when it requires them in order to obtain a new certificate for your domain name, such as e.g. because the old one is about to expire.

There is no problems regarding that though...

Nnublaii This is all I have on the panel for DNS records (the filter is _acme-challenge)

DarkDeviL•7/17/25, 10:11 AM

When you're trying to delegate your _acme-challenge
_acme-challenge
DNS record to somewhere else, with record types such as CNAME
CNAME
or NS
NS
records, then the problem may start.

You can do that kind of CNAME
CNAME
or NS
NS
delegation perfectly fine, - but:

If you're doing it at the same time, as when you're using Universal SSL, or having other hosting providers (e.g. two or more different organisations), where they all are trying to be depending on the _acme-challenge
_acme-challenge
DNS record, then you have a conflict.

The conflict will be that you CANNOT delegate via CNAME
CNAME
or NS
NS
towards multiple providers, at the same time.

You can however add multiple TXT
TXT
records, at the same time, if necessary.

So if the destination at "_acme-challenge.delegated.unir.net
_acme-challenge.delegated.unir.net
" (as well as any other hosting providers you may have) were just giving you a new TXT
TXT
every now and then, to replace the previous one with, then it would be able to work just fine.

Nnublaii Click to see attachment

DarkDeviL•7/17/25, 10:14 AM

Just like you see on your own screenshot here, as well as e.g. on this link:

-> https://www.digwebinterface.com/?hostnames=_acme-challenge.epneumann.edu.pe&type=TXT&useresolver=9.9.9.10&ns=all&nameservers=

DarkDeviL•7/17/25, 10:14 AM

Screenshot_2025-07-17_at_12-13-02_Dig_web_interface_-_online_dns_lookup_tool_-__acme-challenge.epneumann.edu.pe.png

DarkDeviL•7/17/25, 10:16 AM

You're (unfortunately) getting quite a bit of mixed and unpredictable results, when you have such kind of conflicts.

nublaiiOP•7/28/25, 9:44 AM

Hi, thanks for the answer (nice web to test things out btw, already bookmarked)
I tried creating the CNAME to see if it would take precedence, but it seems it doesn't.
I have just deleted the CNAME, and the TXT records are still in place (even thou I can't see them on CF's panel):

nublaiiOP•7/28/25, 9:46 AM

and using the tool you used, I now only see the 'ghost' records:

Nnublaii and using the tool you used, I now only see the 'ghost' records:

DarkDeviL•7/29/25, 8:12 PM

Can you share a full page screenshot of https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates?

nublaiiOP•7/30/25, 8:05 AM

Sure thing! and thanks!

Nnublaii Sure thing! and thanks!

DarkDeviL•7/31/25, 8:14 PM

And you're still not having any DNS records, named "_acme-challenge
_acme-challenge
"?

nublaiiOP•8/1/25, 8:21 AM

that's right, I deleted the CNAME, I can see no other records with that name, but when I query 1.1.1.1 or 1.0.0.1 I can see them

nublaiiOP•9/15/25, 1:43 PM

any chance you found something interesting?

nublaiiOP•9/15/25, 1:43 PM

I am still seeing the 'ghost' records

Nnublaii any chance you found something interesting?

DarkDeviL•9/16/25, 9:51 AM

Somehow, I missed your confirmation from the 1st of August.

DarkDeviL•9/16/25, 9:51 AM

?support

SuperHelpflare•9/16/25, 9:51 AM

To contact Cloudflare Support about an issue, please visit the Support Portal and fill in the form on the portal. After submission, you will receive confirmation over email.

Some issues, such as Account or Billing related issues, cannot be solved by the community.
Any plan level (including Free plans) can open tickets for Account, Billing or Registrar ticket categories. Make sure to select the correct category to ensure it goes to the right place.
For more information on the methods by which you can contact Support for your plan level, see Contacting Cloudflare Support - Cloudflare Docs

Nnublaii I am still seeing the 'ghost' records

DarkDeviL•9/16/25, 9:52 AM

Create an Account ticket, and explain that you have problems with stuck "_acme-challenge
_acme-challenge
" records, even though you have disabled Universal SSL, and do not see any records on the DNS page.

Hidden TXT records interfere with LetsEncrypt DNS-01 validation

Similar Threads

Similar Threads

Similar Threads