Clearly specify which NS server is used for DNS challenge validation

Site Feedback
1

I was wondering which NS server is used by Let’s Encrypt to validate the DNS challenge.

I found several similar answers on the forum after some googling:

They all says the domain name NS server is directly use, so we should not have any propagation issue.

But I would like something more official than forums answer, and I’m surprised to found nothing about that on the documentation (or maybe I did a wrong search).

It would be great to add a section about this on this page: https://letsencrypt.org/docs/challenge-types/

What do you think?

1 Like
2

Hi @Soullivaneuh

that's not required. Because this

is that, what Letsencrypt uses. Only the authoritative name servers are used.

If that doesn't work, there is a problem with your configuration.

1 Like
3

I am not sure we understood each other.

I am not especially asking what NS server is used but suggesting to clarify this on the official documentation.

Forum answers is not reliable in my opinion. They may be errornous and/or updated.

For example, the first visible answer of the topic tells Let’s Encrypt is using Google’s name servers: DNS Servers used by LetsEncrypt for Challenges

This might be confusing for the user, don’t you think?

1 Like
4

EDIT: My bad I misunderstood the question as well :man_facepalming:

@Soullivaneuh Let’s Encrypt operates their own recursive resolvers. They step through the root servers, com (or other zone) servers, then your authoritative servers defined at your registrar.

There is never any propagation issues because the validation resolvers only have a 5 minute (or so) TTL, regardless of what you have configured.

Unless your nameservers are slow to update for some reason of course. But that would be an issue you would have to take up with your registrar or dns provider.

1 Like
5

Additional:

These are Unbound instances. And it's official documented.

The Unbound instances use the same configuration like

https://unboundtest.com/

3 Likes
7

On forum only, not on the website, or I would appreciate a link to. :slight_smile:

This is why I opened this thread. If you think updating the website not worth it, then you may close the topic.

I think having a single reference on a single website makes things easier to understand and avoid repeated questions.

Regards

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.