[Feature]: DNS based validation only success if ALL authorative DNS servers return the same (correct) challenge value

[jahlives]

We run into an issue today with DNS challenge validation. It seems that not all of our domains authoritative servers (3) received the TXT challenge in the same time (through zone update from our master DNS). This lead to the issue that the local challenge check, via system resolver returned all okay but when LetsEncrypt themselves validated the challenge they detected an issue. Debugging showed me that not all of our auth DNS servers got the same result at the same time. So highly possible LetsEncrypt (or better their resolvers) asked one of our auth server which did not have the challenge and our system resolver got the positive result from another of our auth server.

So we discussed this internally and thought that the following solution should mitigate this problem as best as possible: instead of asking the system resolver or any other resolver the acme.sh code could directly check ALL the domain's auth DNS and ONLY proceed if ALL of them return the same (correct) challenge result. Would something like that be accepted as feature request? Maybe an additional parameter for DNS challenge to use auth DNS instead of resolvers?

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.