Blocking non-dns auth (Dynamic IP)


I’d like to use a Let’s Encrypt certificate on a web server hosted on my home internet connection.

I have a dynamic address - I think that means if my address changes and the ip address is given to another subscriber, they can then pass http validation.

I think this could be solved by pinning the authentication method to be dns-based only through a dns record? Is this possible?



Not yet, it will be some time before CAA parameters are available in production. At the moment it is only available on staging, which only produces non-trusted testing certificates.

You should also be able to eventually pin your exact ACME account ID to the domain as well, which is what you really need!

For now, what you can do is prevent anybody from issuing certificates whatsoever between renewals.

Have a pair of hooks before and after renewing that remove and re-add this record:    IN    CAA    0 issue ";"


Very helpful. Thanks :grinning:


Only if you don’t update your DNS records when your IP address changes.


Sure, but it doesn’t always happen instantly or reliably. What if your dynamic DNS client only polls every 5 minutes? What if your DNS provider takes 30 seconds to update? What if your connection is down for a week due to a hurricane and your IP gets reassigned?

It’s advantageous that Let’s Encrypt doesn’t cache DNS, but it’s still typical for there to be a window of vulnerability. Might as well close it if possible.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.