named not serving letsencrypt TXT records

bind lets-encrypt

Am trying to renew/create letsencrypt certs using DNS auth:

certbot-auto -d xxx.it -d mail.xxx.it --manual --preferred-challenges dns certonly

However, after inserting the requested records:

Please deploy a DNS TXT record under the name
_acme-challenge.mail.xxx.it with the following value:

yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE

Before continuing, verify the record is deployed.

The challenge fails.

Indeed, if I try:

$ dig_acme-challenge.mail.xxx.it TXT

The request also fails, though the zone file includes the record:

 # fgrep TXT /var/named/chroot/var/named/master/xxx.it
 acme-challenge.mail.xxx.it IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"

I am supposing that BIND (bind-9.8.2-0.62.rc1.el6_9.4.x86_64) is somehow refusing to serve records with leading underscores, but the docs/google aren't helping.

Any ideas?

Edit As pointed in the answer below, host parts in zone records need to have a trailing dot OR have the domain part stripped. Look after you copy and paste.


In your zone file you need to end the domain with a . that tells bind not to append the origin you list in the zone

 acme-challenge.mail.xxx.it. IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"

Related

DDoS block source IP at ISP
FFMPEG command to stream video to a Multicast address
Change a position based script to move folders only if the folder name exists in the text file line
Why isn't my old hard drive connecting to my new computer?
Creating a numbered list without periods in Powerpoint
What is the difference between the EXIF tags CreateDate, CreationDate, etc.?
can i boot from a blue ray? [duplicate]
Multiple WSL2 distros connected to single X11 server
Can you encrypt drive with BitLocker when it's formatted using ReFS?
Simulation time change multisim
Move existing articles to another group in Gnus
Run Badlion Client in a non-admin account