Do DNS Challenge Records have an expiration?


#1

When using the dns-01 verification type, we are required to put a TXT record in our DNS zone. I’ve noticed that when requesting new certs for the same host name, the DNS record doesn’t change (given that the same account is used). Will this record ever require to be changed on a future renewal?

Background on why I ask: I am looking at using letsencrypt certs for intranet web servers (servers not accessible from the internet), thus we cannot use the normal http challenge. But we can use the DNS challenge instead. However for security concerns, I do not want to grant our servers the ability to make changes to our DNS zone. So instead what I’m thinking is that if this record doesn’t ever need to change, I can just ensure the servers share the same letsencrypt account, and then they can retrieve the cert without needing DNS access.


#2

Hi @phemmer,

Yes, a different DNS record may be required to be posted in the future. So I don’t think the approach you suggested will work.


#3

Hi @phemmer

As a bit more explanation from the ACME Spec:

https://tools.ietf.org/html/draft-ietf-acme-acme-06#section-8.4

A client responds to this challenge by constructing a key authorization from the “token” value provided in the challenge and the client’s account key. The client then computes the SHA-256 digest [FIPS180-4] of the key authorization

These records are related to the Authorisations which will change when you do a renewal as they are only valid for 30 days.

Andrei


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.