I recently stumbled across this client implementation: https://github.com/veeti/manuale - and I am quite intrigued with its caching of the DNS authorization. We don’t operate the front end DNS servers ourselves, so changing the TXT entries for every renewal is not feasible. In the source, manuaLE mentions a current lifetime of 300+ days for DNS challenges on LE’s side - can someone from LE confirm that this is the case, and if this is intended to stay this way?
We need to decide on certs for a new service, and the X3/X4 change has already cause some headache for us, so we would like to know if this caching is going to stay, or if changing the authorization with every renewal (as in the official client) is the only safe way to plan for the future.
You don’t have to set a new TXT record for every renewal indeed. I’m not sure how it’s done in the official client, but for example in the Perl client (and on ZeroSSL) if your previous verification is still valid, the process goes straight to getting the certificate, without the challenge/verification step.
300 days are currently hardcoded in the boulder code:
There hasn’t been any discussion about reducing the lifetime of authorization resources. The CA/B Forum is currently developing new rules for domain validation and is probably going to settle on a validation period that is significantly longer than the 300 days currently in use by Let’s Encrypt, so you should be good on that front too. At the very least, the expiration dates for authorization resources should not be changed after the fact, so you should be able to at least assume that your current authorizations will last 300 days, and any change will probably be announced somewhere.