Our motivation to know the range of IP addresses LE validation originates from is primarily security driven but practical requirements are reasonable too, also mentioned by other users in this topic.
I think a lot of deployments of webservers are kind of
dedicated firewall (port-Forwarding) --> Webserver/Proxy --> Backend (Application-Server etc)
That means doing port forwarding is widely used but in my opinion that does not mean the risk of losing trust for LE.
LE certs are domain validated - no more, no less. The DNS infrastructure resolves domain name to IP address. What happens on the server with this IP-address can be anything and should not matter regarding the domain validation (perhaps I miss a lot of evil things that could undermine LE trustworthiness possible with port forwarding but I think those are existing risks anyway independant of knowledge of those IP addresses).
In our case we provide webbased applications to a clearly defined region and we filter the whole ip traffic via country-based whitelisting where possible to lower any risk of attacks. tcp 443 traffic that maches the souce whitelist is forwarded to a proxy (kind of web application firewall) that does proxying, balancing and stuff.
At this point port-forwarding besides security reasons comes into play in our case too.
The production proxy should not be paused when an automated process (also the aim of LE) renews the certs.
Further I think the automatic mode of the LE Client will not be usable in many deployments where no standard apache but a self compiled apache is installed in addition with special directory and file structures of configuration files.
To run in our setup we would have to modify the LE client but I think this is not our best option. Instead we plan to use the manual mode of the LE client in an automated routine that puts the certs after validation into the production configuration. It would be much easier to have a Webserver (apache for example) just for this validation process besides the production webserver. Requests for the LE validation would be redirected by the firewall to this LE-validation webserver – forwarding would ideally be based on a known IP address range that we are trying to ask for (kindly).
Changing the IP addresses often like @jsha pointed might be reasonable for example to make mtm attacks more difficult.
I still would like to either have a sensible not too big range of IP adresses or - even better - the possibility to automatically get a list of actually used IP adresses. Perhaps the LE client could be extended to be able to do such a request. This could also be included in the automated process.
BTW: Many thanks to Letsencrypt, my question here is quiete a detail that should not diminish LE’s efforts.