named not serving letsencrypt TXT records
Am trying to renew/create letsencrypt certs using DNS auth:
certbot-auto -d xxx.it -d mail.xxx.it --manual --preferred-challenges dns certonly
However, after inserting the requested records:
Please deploy a DNS TXT record under the name
_acme-challenge.mail.xxx.it with the following value:
yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE
Before continuing, verify the record is deployed.
The challenge fails.
Indeed, if I try:
$ dig_acme-challenge.mail.xxx.it TXT
The request also fails, though the zone file includes the record:
# fgrep TXT /var/named/chroot/var/named/master/xxx.it
acme-challenge.mail.xxx.it IN TXT "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"
I am supposing that BIND (bind-9.8.2-0.62.rc1.el6_9.4.x86_64) is somehow refusing to serve records with leading underscores, but the docs/google aren't helping.
Any ideas?
Edit As pointed in the answer below, host parts in zone records need to have a trailing dot OR have the domain part stripped. Look after you copy and paste.
In your zone file you need to end the domain with a . that tells bind not to append the origin you list in the zone
acme-challenge.mail.xxx.it. IN TXT "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"