New authentication method

hi,

backstory: I'm having issues with dns-01 and duckdns
solution: a new authentication method where you don't need to change txt records for each verification

here's how it would work:
preparation:
you generate an RSA keypair with the validity of one year
you insert the public key to a txt record (I'll let the details vague, someone will know better how to do that exactly)
given the fact that your keypair had a validity of a year you don't need to change it for a complete year (or generate a keypair for 10 years if you want)
once you've prepared this is how verification works:
me: hey, letsencrypt, I own the domain example.com
letsencrypt: ok, here's something I encrypted with that public key in your txt record, if you can decrypt it I'll believe you. Here's the encrypted challenge: ...
me: ok, this is what it says after decription: ....
letsencrypt: wow, since you have the private key you must indeed be the owner of example.com

Duckdns seems to be having a lot of challenges lately, you may want to find more reliable DNS service regardless.

This is actually being worked on; the proposal is called DNS-PERSIST-01. At the end of this recent blog post, Let's Encrypt says that they hope to implement it next year.

that's good. at the risk of to preaching to the choir, my idea is if you don't need to change records often eventually your change will propagate to all dns servers. can take at most an hour? a day? not much more than that. you either wait (you won't need to quite often) or maybe you can try both your old and new private keys, only one of them will work. does that make sense? will DNS-PERSIST-01 work if dns records get refreshed slowly?

In theory. If the DNS servers are configured properly and perform normally.

If your DNS servers are taking a day to sync I suggest looking for a different DNS provider Even an hour is long by today's standards.

Note that the TXT record is not the only important record that the DNS Servers must serve. Let's Encrypt checks for a CAA record at every level of the domain name. We have seen repeated problems with DuckDNS lately and sometimes this involves the CAA record check. Even if you don't use CAA record(s) Let's Encrypt must check for one.

Probably better to wait until closer to implementation before evaluating details. But, the premise is that you make a change to the DNS that is good for validation for a longer period than just one cert. How these details are implemented and whether they will suit your needs is unknown.

DNS propagation to non-authoritative servers can take a while but it's usually determined by the record TTL setting. Sync to your actual authoritative nameservers (which LE use) should be somewhere between instantaneous (good) and 15 mins (very poor), beyond that is pretty rare.

Hello @imre, welcome to the community!

I have to second @webprofusion , DNS data propagation from the master to the slave servers must be in the order of seconds. If it is more than a quarter hours, then change the DNS provider.

This sounds more like you don't have working DNS Notify from your (hidden?) master towards Duckdns, so they just use your zone's refresh timer for zone updates - which can be hours or longer, but under your own control.

Either fix your DNS Notify (preferred, for realtime updates), and/or set your zone's refresh timer appropriately low for your use case (at the cost of more queries from Duckdns).

Duck DNS is not a secondary DNS service, there is no way to change the zone refresh time nor does Duck DNS use the zone refresh time. Duck DNS does have reliability issues, however propagation is not typically an issue with Duck DNS.

I think the poster was talking about other potential use cases for such a validation method.