Limitation of TXT record response SIZE

This paragraph is a part of https://letsencrypt.org/docs/challenge-types/

What Specific size of TXT record response that LetsEncrypt would reject?

2 Likes

That part of the text describes a limit on the overall size of the DNS response message (between Boulder and Boulder's resolver).

That is different to having limits on individual TXT RRs or RRSets.

The limit is 4096 bytes, not including DNSSEC records. This is also subject to compression of DNS names. For this reason, it's not possible to give an exact number of TXT records, as it will vary from zone to zone. But it would be a few dozen at least; irrelevant for practically all users.

Keep in mind also that the specific details are undocumented. They can change at short notice.

6 Likes

This picture is a capture of https://letsencrypt.org/docs/challenge-types/

For example, I get order authorization info like this:

{u'status': u'pending',
 u'token': u'yVzDkZuvSVZt3ph4zgdsHkIEuT4tiqqXuxf2oD3zqO0',
u'type': u'http-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176166952/_uNeHg'}

in DNS-01, DNS TXT record is token param encrypted by account key.

What content is in the token file in the HTTP-01 way ?

Does file name is token param ?

1 Like

It's the same key authorization value as the TXT record response except you don't have to SHA256 hash and Base64URL encode it first. Here's a link to the corresponding RFC8555 section 8.3 with more detail.

1 Like