[GH-ISSUE #353] TXT record returns two values - doesn't seem that should be possible #196

New issue

Open

opened 2026-03-13 16:07:35 +03:00 by kerem · 4 comments

kerem commented

2026-03-13 16:07:35 +03:00

Owner

Originally created by @bbct on GitHub (May 31, 2024).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/353

My renewal was failing, the value returned for my TXT record didn't match.
I used nslookup to see what the value is.
Somehow I've managed to get 2 values stored for the same TXT record:

Non-authoritative answer:
90103513-A497-46F6-944e-32CDf9D25794.My.domain.COM text =

    "SqTGI30-hNDOzuDCCARZx8_ca8dbhCCJ45emjGEQTec"

90103513-A497-46F6-944e-32CDf9D25794.My.domain.COM text =

    "M4Js9Ps56wQZn5v6_j45LQLk4ZquUjfxsXiKfRx6gBI"

The second one is the correct one, the first one must be older? Should two TXT records even exist like this?
Question 1: any idea how I managed to do this?
Question 2: how do I delete the TXT records to start from scratch?

Disclosure - As I am testing this out first, I may have registered this same domain a second time under different credentials, perhaps that is why it is returning two values?.

Perhaps I should just start with a fresh db, and start over? I've registered only a couple domains. If I need to start over, what's the best way?

Thank you for any help you can provide.

Originally created by @bbct on GitHub (May 31, 2024). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/353 My renewal was failing, the value returned for my TXT record didn't match. I used nslookup to see what the value is. Somehow I've managed to get 2 values stored for the same TXT record: Non-authoritative answer: 90103513-A497-46F6-944e-32CDf9D25794.My.domain.COM text = "SqTGI30-hNDOzuDCCARZx8_ca8dbhCCJ45emjGEQTec" 90103513-A497-46F6-944e-32CDf9D25794.My.domain.COM text = "M4Js9Ps56wQZn5v6_j45LQLk4ZquUjfxsXiKfRx6gBI" > The second one is the correct one, the first one must be older? Should two TXT records even exist like this? Question 1: any idea how I managed to do this? Question 2: how do I delete the TXT records to start from scratch? Disclosure - As I am testing this out first, I may have registered this same domain a second time under different credentials, perhaps that is why it is returning two values?. Perhaps I should just start with a fresh db, and start over? I've registered only a couple domains. If I need to start over, what's the best way? Thank you for any help you can provide.

kerem commented

2026-03-13 16:07:42 +03:00

Author

Owner

@bbct commented on GitHub (May 31, 2024):

FYI - using Sqlite3, I queried the txt table, there were two rows for each Subdomain. I deleted the oldest for each pair, and it seems to be working now.
Still not sure how I got two TXT records for each subdomain...

@bbct commented on GitHub (May 31, 2024): FYI - using Sqlite3, I queried the txt table, there were two rows for each Subdomain. I deleted the oldest for each pair, and it seems to be working now. Still not sure how I got two TXT records for each subdomain...

kerem commented

2026-03-13 16:07:47 +03:00

Author

Owner

@aduzsardi commented on GitHub (May 31, 2024):

afaik , that's the desired behaivor (having 2 txt records) for wildcard certificates

@aduzsardi commented on GitHub (May 31, 2024): afaik , that's the desired behaivor (having 2 txt records) for wildcard certificates

kerem commented

2026-03-13 16:07:52 +03:00

Author

Owner

@bbct commented on GitHub (May 31, 2024):

Interesting, aduzsardi. It wasn't actually a wildcard cert I requested, though. Just a single domain.

@bbct commented on GitHub (May 31, 2024): Interesting, aduzsardi. It wasn't actually a wildcard cert I requested, though. Just a single domain.

kerem commented

2026-03-13 16:07:57 +03:00

Author

Owner

@joohoi commented on GitHub (May 31, 2024):

Yeah, this is true. An usecase where the CA requires two different tokens
in the same subdomain is a wildcard certificate and the apex domain in the
same certificate.

That said, the CA will respect a correct validation token in any of the the
records. Additional ones do not matter.

On Fri 31. May 2024 at 18.52, bbct @.***> wrote:

Interesting, aduzsardi. It wasn't actually a wildcard cert I requested,
though. Just a single domain.

—
Reply to this email directly, view it on GitHub
https://github.com/joohoi/acme-dns/issues/353#issuecomment-2142542363,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABH6DJJ4377O3QUW7EOX5KDZFCMFDAVCNFSM6AAAAABIS7K7GCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSGU2DEMZWGM
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

@joohoi commented on GitHub (May 31, 2024): Yeah, this is true. An usecase where the CA requires two different tokens in the same subdomain is a wildcard certificate and the apex domain in the same certificate. That said, the CA will respect a correct validation token in any of the the records. Additional ones do not matter. On Fri 31. May 2024 at 18.52, bbct ***@***.***> wrote: > Interesting, aduzsardi. It wasn't actually a wildcard cert I requested, > though. Just a single domain. > > — > Reply to this email directly, view it on GitHub > <https://github.com/joohoi/acme-dns/issues/353#issuecomment-2142542363>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABH6DJJ4377O3QUW7EOX5KDZFCMFDAVCNFSM6AAAAABIS7K7GCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSGU2DEMZWGM> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >