How Let's Encrypt checks DNS Challenges


I’ve implemented a client in PHP. I use DNS challenge and set the two records using the LiveDNS Api from Gandi.

To know if I can respond to challenge I use the internal PHP function dns_get_record().
(I loop n times with a timeout)

Even if I wait more than 60s, this function never finds the two new records _acme-challenge.

Despite this failure, if I “respond” to the two challenges, Let’s Encrypt almost always find the two records.

I am wondering why Let’s Encrypt finds them and not dns_get_record(). Has Let’s Encrypt a specific way of communicating with the DNS server ?

I would like to implement this method so that I can be sure to “respond” to the challenges at the good time.

Thank you in advance

Are you querying your domain’s authoritative nameservers, or a public resolver? Let’s Encrypt always queries the former, which will reflect changes much quicker than public resolvers which must wait for propagation. Also, silly question, but are you sure you’re requesting TXT records and not a different record type?


It is so obvious … I was checking the TXT records of DOMAIN and not the TXT records of _acme-challenge.DOMAIN.
Thanks a lot Jared

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.