When using the
dns-01 verification type, we are required to put a TXT record in our DNS zone. I’ve noticed that when requesting new certs for the same host name, the DNS record doesn’t change (given that the same account is used). Will this record ever require to be changed on a future renewal?
Background on why I ask: I am looking at using letsencrypt certs for intranet web servers (servers not accessible from the internet), thus we cannot use the normal http challenge. But we can use the DNS challenge instead. However for security concerns, I do not want to grant our servers the ability to make changes to our DNS zone. So instead what I’m thinking is that if this record doesn’t ever need to change, I can just ensure the servers share the same letsencrypt account, and then they can retrieve the cert without needing DNS access.