Which DNS Server Let's Encrypt Uses?

A record - example.com - old IP -- 86400

Waiting for a day is not fun.

There are time when I wish to update new server IP and purge the DNS cache at Cloudflare, Google so Let’s Encrypt can quickly recognize the new updated IP.

I wonder if Let’s Encrypt team can tell what DNS uses it would be helpful in purging its DNS cache and speed up the Installation process.

Thanks

1 Like

Let’s Encrypt don’t use public recursive resolvers. They run their own, and they only observe TTL to a maximum of 60 seconds. If your TTL is 0, it won’t cache at all.

Effectively, there is no cache to purge. Whatever your authoritative nameservers are sending, that’s what Let’s Encrypt will see.

4 Likes

Basically, just query all your authoritative nameservers.
If they all show the correct IP, then you can disregard any old/cached entries found elsewhere.
If any one of your authoritative nameservers shows an old/outdated record, then you may need to get them to synchronize at a faster frequency or dig deeper into why they remain out-of-sync for such long periods of time.

2 Likes

are you sure that they would respect TTL for only 60 seconds, regardless of any defined value by my end?

Yes, either your TTL or 60s, whichever is lower.

If you are seeing stale records during validation, please share the affected DNS name.

3 Likes

Thanks for confirming. I will do such trial today where I will keep non-targeted IP for 3600 and then I will change it to target IP, to find if they respect 60 seconds hardcoded TTL or not.

Right now, all is set. I just had this question out of curiosity. Before this I always used to wait for actual propagation till DNSChecker says all looks good.

Update: I can confirm this works.

3 Likes

Not necessarily true. Commercial DNS providers often employ a cache on their end. If you use such a service, it is possible for their internal systems to cache and serve the stale DNS records, which use their application based expiries and not the TTL configured in the DNS records.

If you do not control your own DNS servers, you may need to have your vendor clear their caches… or run your own instance of acme-dns to handle DNS-01 authorizations. (I strongly recommend using acme-dns)

2 Likes