Hi, everyone,
We're making a small change to how Let's Encrypt validates domain names. This will only affect very, very few domains. It won't be relevant to you unless:
a) your DNS zone is DNSSEC-signed; and
b) your authoritative nameservers are running very old, buggy software; and
c) you're trying to validate subdomains beneath (sub)domains that don't themselves exist.
We're going to turn on the harden-below-nxdomain setting in our Unbound DNS resolvers. Let's say you're signing your example.com zone with DNSSEC, and your authoritative nameserver returns an NXDOMAIN (no such domain) response when we look up test.example.com - but does return a record when we look up host.test.example.com. That behaviour, which is not standards-compliant, will no longer work. We'll now conclude that nothing underneath test.example.com exists.
Almost all authoritative nameservers avoid this problem: they correctly return a NOERROR result (not an NXDOMAIN) for test.example.com when it has subdomains, but no records of its own. And again, this change only affects DNSSEC-signed responses. We aren't changing how we evaluate unsigned responses.
This change is now live in our staging environment, so please try issuing a staging certificate if you think you might be affected. We plan to promote it into production next week, on or around Thursday, April 9.