I have got a very similar question to this one: IP addresses LE is validating from to build firewall rule.
If it is not safe to assume that the IP addresses of the validation servers stay constant, will it be safe to assume that the DNS records of outbound1.letsencrypt.org, outbound2.letsencrypt.org up to potentially outboundN.letsencrypt.org will always be named incrementally and exclusively resolve to the whole set of IP addresses used for validation purposes?
If not, what are the reasons except for security by obscurity?
In my opinion, the publication of validation server IP addresses via DNS might increase usability in combination with
iptables support of the client because the standalone authentication might then be used without interrupting any already running webservers on port 80/443.