Validation servers' DNS records


#1

Hello,

I have got a very similar question to this one: IP addresses LE is validating from to build firewall rule.
If it is not safe to assume that the IP addresses of the validation servers stay constant, will it be safe to assume that the DNS records of outbound1.letsencrypt.org, outbound2.letsencrypt.org up to potentially outboundN.letsencrypt.org will always be named incrementally and exclusively resolve to the whole set of IP addresses used for validation purposes?
If not, what are the reasons except for security by obscurity?

In my opinion, the publication of validation server IP addresses via DNS might increase usability in combination with iptables support of the client because the standalone authentication might then be used without interrupting any already running webservers on port 80/443.


#2

The idea behind validation via HTTP/HTTPS is that Let’s Encrypt gets the same view of your site as any other client. Making routing decisions based on the fact that the request is coming from Let’s Encrypt would go against that. It is also not guaranteed that the IP will stay the same, that it will be only one request or IP and that the IP is predictable at all - for example, future versions of the CA server might use a quorum approach from multiple locations, or it might send one validation request via Tor (which would make spoofing very hard as the network from which the request is made is not predictable for an attacker), making the IP address entirely unpredictable.

The majority of web servers can work with the existing webroot plugin, solving the problem of having to stop the web server during renewal. For any other scenario, there’s still DNS-based validation, which doesn’t require any changes on your web server or any open ports.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.