What’s actually happening
Providers validating your domain often check a DNS TXT record from their own infrastructure. Even if your workstation resolves the record, their resolver may still have cached older data or may be querying a different recursive resolver that has not refreshed yet.
Authoritative vs recursive resolvers
The authoritative nameserver is the source of truth for your zone. A recursive resolver caches results and can temporarily return stale data. If the authoritative nameserver has the correct record but a recursive resolver hasn’t refreshed, validation can fail.
Common failure modes
- Wrong hostname: TXT placed at the wrong subdomain instead of the exact
_acme-challengehost. - TTL + caching: old values remain cached after you “fixed” it.
- Multiple tokens: old and new TXT values coexist; the verifier expects one value.
- Slow propagation: DNS parking providers can be unpredictable for subdomain TXT updates.
The TraceMicro approach (fast, verifiable)
- Query authoritative nameservers directly to confirm correctness.
- Check multiple recursive resolvers to confirm global visibility.
- Stabilize changes with a cutover plan (including rollback).
- Re-run verification only once visibility is consistent.
Need this fixed quickly?
If you’re stuck in “record looks correct” but validation still fails, we can triage DNS visibility and get checkout stable.