I've filed an issue with Google (https://issuetracker.google.com/issues/123397631) but lego probably needs a workaround for the problem. The summary is that even once all of a domain's nameservers have responded with the correct data (and thus triggering a successful result of lego's pre-check routines), one or more of the nameservers may revert to responding with old data or NXDOMAIN. They eventually settle down after a (potentially unbounded?) amount of time.

I'm not sure what the best way is of adding extra time to the pre-check method. Because checkDNSPropagation() isn't exported, I can't simply create a pre-check function that calls it first, then waits (or continues to check for a while). Simply trying again isn't a great option, since there's no way to deactivate the authorization from this side of the API, as (as best I can tell) there's no access to the authorization URI in the error you get back from Obtain() and no way to create it from the ObtainRequest, and I accidentally ended up maxing out the authorizations rate limit figuring this out (thankfully I kept the logs containing the URIs).

I'm happy to put a fix together, but would appreciate some direction.