Hi Greg,
we are using dns01goacme with pdns to manage DNS records and came across the following issue. When trying to order a cert that has a common name "*.t.mailkit.eu" and a SAN added "t.mailkit.eu" to have a cert generated covering both the wildcard and the subdomain itself (this is what digicert requires) the system tries to create 2 identical DNS records.
1/30/2026, 2:00:16 PM, info, challenges/provisioning.go:71, challenges: deprovisioned domain t.mailkit.eu
1/30/2026, 2:00:13 PM, error, authorizations/fulfiller.go:31, auths: failed to fulfill auth https://one.digicert.com/mpki/api/v1/acme/v2/authz/redacted
(pdns: error talking to PDNS API: Duplicate record in RRset _acme-challenge.t.mailkit.eu. IN TXT with content ""redacted"")
1/30/2026, 2:00:13 PM, debug, acme/post_signed.go:148, acme signed post response code: 200 ; body: {
"status": "pending",
"challenges": [
{
"status": "pending",
"token": "redacted",
"type": "dns-01",
"url": "https://one.digicert.com/mpki/api/v1/acme/v2/challenge/redacted/redacted"
},
{
"status": "pending",
"token": "redacted",
"type": "http-01",
"url": "https://one.digicert.com/mpki/api/v1/acme/v2/challenge/redacted/redacted"
}
],
"identifier": {
"type": "dns",
"value": "t.mailkit.eu",
"isWildcard": true
},
"wildcard": true
}
1/30/2026, 2:00:13 PM, info, challenges/solver.go:115, challenges: waiting until Fri, 30 Jan 2026 14:03:13 CET before checking resource propagation of t.mailkit.eu
1/30/2026, 2:00:13 PM, debug, challenges/provisioning.go:41, challenges: domain t.mailkit.eu used token redacted (key auth: redacted)
1/30/2026, 2:00:13 PM, info, challenges/provisioning.go:40, challenges: provisioned domain t.mailkit.eu
that ultimately means that no record is really added to the zone and the DNS validation fails. Would it be possible to dedupe the DNS changes before submitting the request to update dns?
