Minor change to validation networking

Before issuing a certificate, we validate the requester's control of each hostname that will be in that certificate. We resolve DNS and (for HTTP-01 challenges) connect to Web servers from one of our own data centers, plus several cloud providers' locations, for each hostname.

Our staging environment is now using Cloudflare's Magic Transit service to protect our data centers' traffic. On or about July 27, 2022, we'll begin using it for our production environment.

We don't expect this change to cause many problems. However, subscribers may have trouble in the rare case that their authoritative nameservers or Web servers don't respect the TCP Maximum Segment Size (MSS) header. If their reply packets are larger than our requested MSS of 1436 bytes (which is lower than the generally used default of 1460 bytes), and especially if they also have the Don't Fragment (DF) bit set, then they may not reach us, causing that validation connection to fail.

If a validation failure is otherwise a mystery, this may be a cause to consider. However, please do basic troubleshooting first; we expect this to be rare. Thanks!


This change is now complete in our production environment.