Let's Encrypt DNS lookups

In the thread linked above there is a discussion that it seems that the DNS servers that LE uses are slow to update when changes are made. The net result of the discussion is that LE uses the authoritative name servers for the actual domain and there is no delay.

I don’t believe that is the case … has that changed since last year?

Over the past several weeks I have been helping people set up their email service, of which a part of is creating CNAME records then provisioning SSL certs for the subdomains. VERY often the certificate request fails for reasons such as

Error: http://mail.domain.tld/.well-known/acme-challenge/letsencrypt_1572998795 is not reachable. Aborting the script.
dig output for mail.domain.tld:
host.emailserviceprovider.net.mail.tld.
Please make sure /.well-known alias is setup in WWW server.

Now, in this specific case … there was an earlier error with the CNAME entry but this was fixed BEFORE this particular LE request was made. I also did a dig @ the authoritative name server, and the record was correct …

So, why is this??? Are DNS records being cached rather than looked up for each attempt? If so, what is the expiration time on the cache so we know how long it is necessary to wait after a failure due to DNS issues? Any guidance would be appreciated! Thanks in advance.

I am sorry that the domain is masked - the domain used for this example is not mine to share and I have not received permission to do so.

Hi, @alento,

Let’s Encrypt uses a very short expiration time on all DNS caching, regardless of TTL.

The cache is not shared with anyone else, so it wouldn’t be primed unless another certificate had been requested for the domain very recently.

Is it possible there are multiple authoritative servers on your side, and a secondary server may be slow to pick up changes from the primary server? Let’s Encrypt could be querying a secondary server and receiving older data that way.

1 Like

Hi @JamesLE thanks for the response.

It is possible on the secondary server as I did not note which specific authoritative server I checked … next time I will check them all. :slight_smile:

Possible to share the expiration time used?

I can’t guarantee it will stay the same, but it’s currently no more than 60 seconds.

1 Like

Thanks – appreciate the information.

I’d add that you can avoid the caching entirely by setting TTL of the TXT records to 0. (At least, for now).

This was a crucial part of getting DNS validation working reliably in an ACME client of mine, when the same base domain was involved in multiple orders.

2 Likes

Assuming your DNS provider allows such a setting. :wink: Many hosted providers enforce minimum TTLs on all records to avoid mistakes and abuse.

1 Like

Hi @alento

without the domain name it’s not possible to check it. There are a lot of buggy name servers.

Is it possible to share the name server? The topic you have found is old. Later, I’ve created an own check (“check your website”). There are some name servers - terrible slow.

If it really said “letsencrypt_1572998795”, that error message isn’t coming from Let’s Encrypt itself. Your ACME client is doing some kind of self-check, and that’s failing somehow. It’s probably using your computer’s DNS resolver specified in /etc/resolv.conf, or some centralized servers operated by DirectAdmin(?), or something.

1 Like