Certificate authorities often validate ownership through DNS TXT records or CAA policy. Dig confirms whether the validation record is public.
Useful dig commands
dig _acme-challenge.example.com TXT
dig example.com CAATroubleshooting checklist
- Check the exact validation hostname.
- Check TXT records and quote handling.
- Check CAA if the certificate authority is rejected.
- Wait for TTL expiry before retrying validation.
- Remove stale challenge records after the certificate is issued if your CA allows it.
How to interpret the result
If the answer matches the expected value, DNS is probably not the layer causing the current symptom. Continue with HTTP, TLS, mail server, firewall, or application checks. If the answer is missing, stale, or different between resolvers, keep the investigation in DNS until the public answer is correct.
Support note
When opening a ticket with a DNS provider, include the exact name, record type, resolver tested, returned value, and time of the lookup. That is much more useful than saying “DNS is not working.”