The validation addresses are specifically not guaranteed to be stable over time, and we are likely to validate from multiple IP addresses in the future.
If you use the dns-01 challenge instead of the http-01 or tls-sni-01 challenges, you can avoid leaving HTTP ports open. Though I realize dns-01 isn’t supported by the official client.