20s was too tight: yeil serves DNS from edge replicas fed by a
replication log, so a freshly-written _acme-challenge TXT takes a bit to
appear on every authoritative nameserver. Let's Encrypt's secondary
(multi-perspective) validation hit a not-yet-converged replica and saw a
stale value -> 'incorrect TXT record found'. 60s lets all replicas catch
up (matches what already works in practice for wildcard certs).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3d606b20bc