How does DNS Validation work behind the scenes


When dns-01 Validation is done, how does Let’s Encrypt do the validation behind the scenes.

My assumption is that it does the following:

  1. Query for list of Authoritative name servers using NS-Records
  2. Poll Each of the servers given for an appropriately named TXT record
  3. If challenge key is found on one or more of the authoritative servers, its considered validated


It uses an off-the-shelf recursive DNS server. To be more specific, Unbound. (With a particular configuration, with DNSSEC and so forth enabled, and caching minimized.)

The CA software, Boulder, doesn’t do anything complicated. It just makes a TXT query to the resolver (using miekg’s dns client).

Boulder doesn’t make its own NS query. Unbound, as currently designed, doesn’t go out of its way to make unnecessary NS queries either. It just follows the NS records as given by the delegations (and the authority sections of other responses, I think).

Boulder makes one query to the resolver. If some of a zone’s authoritative DNS servers are down or so forth, Unbound will query other ones, but a valid negative response from one server will be taken as definitive.

You have to ensure that all of the zone’s authoritative DNS servers are serving the TXT record.

(CNAME records will be followed.)


Thanks @mnordhoff. Exactly the answer I was looking for.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.