when dnssec is enabled on a domain letsencrypt cannot create certificates for the subdomain
Failed to issue a Let's Encrypt certificate for test.subdomain.tld: LetsEncrypt challenge failed for test.subdomain.tld: Some(ServerError { type: Some("urn:ietf:params:acme:error:dns"), title: None, status: Some(400), detail: Some("DNS problem: looking up A for test.subdomain.tld: DNSSEC: Bogus: validation failure <test.subdomain.tld. A IN>: no NSEC3 records from 2a01:4f8:c2c:3c60::1 for DS test.subdomain.tld. while building chain of trust; DNS problem: looking up AAAA for test.subdomain.tld. DNSSEC: Bogus: validation failure <test.subdomain.tld. AAAA IN>: no NSEC3 records from 128.140.45.45 for DS test.subdomain.tld. while building chain of trust") })
when a new subdomain dns zone is created and dnssec is enabled on the parent domain then dnssec should be automatically enabled on the subdomains dns zone and the relevant DS records automatically created in the parent dns zone.
probably ok for client domains, if they're enabling dnssec, then they should already know to do this.
but should definitely be done automatically if dnssec is enabled on a staging domain, as the website owner is likely not going to have access to the parent domains dns to create the DS records.
