RFC 2136 description of rate limits is misleading #1822
Description
The description of the RFC 2136 providers approach to ensuring that updated DNS records will be visible to resolvers in the Rate Limits section says that it queries all nameservers in the domain's SOA RR.
That's misleading, as there's only one nameserver in the SOA RR, it's often invalid and the acme provider doesn't query it anyway.
Instead it finds the authoritative nameservers for the domain and queries those.
The code is correct, the documentation isn't.
Something like this would be better:
The `rfc2136` provider waits until *all* nameservers authoritative for your domain
respond with the same result before it contacts Let's Encrypt to complete the
challenge process. This is because the challenge server contacts a
non-authoritative DNS server that does a recursive query (a query for records it
does not maintain locally). If not all the authoritative servers contain the correct
values, it's likely that the non-authoritative server will have bad information
as well, causing the request to go against rate limits and eventually locking
the process out.
Happy to turn this into a PR, if needed.