diff --git a/getssl b/getssl
index 8de8353..1cf1454 100755
--- a/getssl
+++ b/getssl
@@ -1244,14 +1244,21 @@ for d in "${alldomains[@]}"; do
       add_dns_rr "${d}" "${auth_key}" \
         || error_exit "DNS_ADD_COMMAND failed for domain $d"
 
+      # shellcheck disable=SC2018,SC2019
+      rr="_acme-challenge.$(printf '%s' "${d#\*.}" | tr 'A-Z' 'a-z')"
+
       # find a primary / authoritative DNS server for the domain
       if [[ -z "$AUTH_DNS_SERVER" ]]; then
-        # shellcheck disable=SC2018,SC2019
-        rr="_acme-challenge.$(printf '%s' "${d#\*.}" | tr 'A-Z' 'a-z')"
+        # Find authorative dns server for _acme-challenge.{domain} (for CNAMES/acme-dns)
         get_auth_dns "${rr}"
         if test -n "${cname}"; then
           rr=${cname}
         fi
+
+        # If no authorative dns server found, try again for {domain}
+        if [[ -z "$primary_ns" ]]; then
+          get_auth_dns "$d"
+        fi
       elif [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then
         primary_ns="$AUTH_DNS_SERVER $PUBLIC_DNS_SERVER"
       else
@@ -1400,7 +1407,7 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     fi
 
     # Use SOA +trace to find the name server
-    if [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then
+    if [[ -z "$res" ]] && [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then
       if [[ "$HAS_DIG_OR_DRILL" == "drill" ]]; then
         debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver
         test_output "Using $HAS_DIG_OR_DRILL SOA"
diff --git a/test/18-retry-dns-add.bats b/test/18-retry-dns-add.bats
index 3a79880..25318de 100644
--- a/test/18-retry-dns-add.bats
+++ b/test/18-retry-dns-add.bats
@@ -30,8 +30,9 @@ DNS_EXTRA_WAIT=0
 CHECK_ALL_AUTH_DNS="false"
 CHECK_PUBLIC_DNS_SERVER="false"
 DNS_WAIT_RETRY_ADD="true"
+_RUNNING_TEST=1
 EOF
-    create_certificate -d
+    create_certificate
     assert_failure
-    assert_line --partial "Retrying adding dns via command"
+    assert_line --partial "Retrying adding DNS via command"
 }