I use Traefik and External DNS together on Kubernetes. When I create a new Ingress, Traefik handles the ACME challenge, and External-DNS creates the A entry in the DNS. However, Traefik responds immediately, while External-DNS only updates once every minute. So it almost always happens that Traefik issues the TLS-ALPN-01 challenge before the DNS entries have been created.
Note: This is only the issue during the initial challenge for a new certificate, not for renewals, of course.
How do I resolve this? Can I configure Traefik to delay the challenge by a minute? Can I ensure Traefik retries once after a minute? Maybe there are other ways I am not aware of?