named not serving letsencrypt TXT records

Am trying to renew/create letsencrypt certs using DNS auth:

certbot-auto -d xxx.it -d mail.xxx.it --manual --preferred-challenges dns certonly

However, after inserting the requested records:

Please deploy a DNS TXT record under the name
_acme-challenge.mail.xxx.it with the following value:

yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE

Before continuing, verify the record is deployed.

The challenge fails.

Indeed, if I try:

$ dig_acme-challenge.mail.xxx.it TXT

The request also fails, though the zone file includes the record:

 # fgrep TXT /var/named/chroot/var/named/master/xxx.it
 acme-challenge.mail.xxx.it IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"

I am supposing that BIND (bind-9.8.2-0.62.rc1.el6_9.4.x86_64) is somehow refusing to serve records with leading underscores, but the docs/google aren't helping.

Any ideas?

Edit As pointed in the answer below, host parts in zone records need to have a trailing dot OR have the domain part stripped. Look after you copy and paste.


In your zone file you need to end the domain with a . that tells bind not to append the origin you list in the zone

 acme-challenge.mail.xxx.it. IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"