API Interface to Flush a Specific DNS Entry on Boulder

I had to fall back to manual registration due to some issues with certbot & my config.

I’m in the process of changing IPV6 from one tunnel service to another, and also had to update my AAAA records. And add letsencrypt.org to CAA

It seems that the LE servers have cached the old AAAA records - which have a 24Hr ttl.

Is there a way to tell the LE DNS servers to flush their cache for a specific host?

If not, it would be helpful to have one. Or at least configure then with a sensible max_ttl - since I must not be the first with these kinds of issues…Sensible means “for debugging getting a certificate”, and probably is no longer than 10 mins or so. There’s not much point in respecting long TTLs for LE, since most traffic is at most twice a day for a given hostname…

Yes, I know I can “just wait”…

hi @tlhackque

configure then with a sensible max_ttl

I am pretty sure most DNS servers follow what the Name servers of the domain have as TTL. So why not set a reasonable TTL on your end?

I have changed your request to to a Feature Request. The ACME protocol doesn’t specify functioning of the DNS Resolvers so having an API call for the server to clear a given domains DNS cached could be very difficult (for example how do you know the person requesting the clearance owns the domain)

If you ever need to do this again (swap providers) the first thing you should do is move the TTL for all your records down to 1 hour a couple of days before hand and then move them back post migration.


The Let’s Encrypt DNS resolvers have a very low maximum TTL. Something like 60 seconds, if that. Cached DNS records should virtually never be a problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.