How Let's Encrypt clients validates certificate TXT files?

I wanted to confirm the way Let's Encrypt client validates cert TXT files. In a scenario where there are 6 Name Servers available, should we see queries for ALL of them in order to get a successful validation?

I got a aware of a scenario where this happens and wondering whether that's RFC compliant:

5.3.3. Algorithm

The top level algorithm has four steps:

1. See if the answer is in local information, and if so return
it to the client.

2. Find the best servers to ask.

3. Send them queries until one returns a response.

4. Analyze the response, either:

a. if the response answers the question or contains a name
error, cache the data as well as returning it back to
the client.

b. if the response contains a better delegation to other
servers, cache the delegation information, and go to
step 2.

c. if the response shows a CNAME and that is not the
answer itself, cache the CNAME, change the SNAME to the
canonical name in the CNAME RR and go to step 1.

d. if the response shows a servers failure or other
bizarre contents, delete the server from the SLIST and
go back to step 3.

From the above, we would expect the queries to be routed to one NS and if it isn't working, route the request to other NS, until we get a response.

Any information about this would be highly appreciated.

Let's Encrypt only requires a response from one authoritative nameserver.

However, Let's Encrypt does conduct validation from multiple vantage points (to mitigate the potential of BGP hijacking attacks), and so it is expected that a collection of authoritative nameservers will receive multiple queries in the course of a single validation.


Expanding on the above: Subscribers routinely have issues when using multiple authoritative nameservers that are not synced to one another. Any one of the authoritative nameservers can be queried by any one of the authorization vantage points; if one of these servers causes a failure, the entire order will fail.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.