NS Server Domain .top Ceases Servicing Validation Queries for Let’s Encrypt

1 Jul 2024 9:30 am GMT+0000 Date Time

Users of Let’s Encrypt Certificate Face Challenges with Domain Verification
Users of the non-profit certificate of the Let’s Encrypt Center, controlled by the community and providing certificates for free to everyone, are currently facing challenges. Upon receipt of certificates, users have encountered the impossibility of confirming domain rights in the “.top” zone via DNS. This issue arose on June 25 when the DNS servers responsible for the first-level domain “.top” stopped accepting requests from Let’s Encrypt project missilers using DNS-01 during the verification process. This method is required to obtain certificates with wildcard masks that cover a group of subdomains in one certificate (e.g. *.example.com). Initially, the problem was thought to be related to DNSSEC. However, it was later discovered that the failure during DNSSEC checks is not the cause. It appears that the investigation revealed the DNS servers of the .top domain are rejecting all Let’s Encrypt requests, indicating targeted blocking. Let’s Encrypt employees are currently attempting to reach out to the owners of the NS servers for the .top domain but have been unsuccessful thus far.

Users of Let’s Encrypt Certificate Face Challenges with Domain Verification

Users of the non-profit certificate of the Let’s Encrypt Center, controlled by the community and providing certificates for free to everyone, are currently facing challenges. Upon receipt of certificates, users have encountered the impossibility of confirming domain rights in the “.top” zone via DNS. This issue arose on June 25 when the DNS servers responsible for the first-level domain “.top” stopped accepting requests from Let’s Encrypt project missilers using DNS-01 during the verification process. This method is required to obtain certificates with wildcard masks that cover a group of subdomains in one certificate (e.g. *.example.com).

Initially, the problem was thought to be related to DNSSEC. However, it was later discovered that the failure during DNSSEC checks is not the cause. It appears that the investigation revealed the DNS servers of the .top domain are rejecting all Let’s Encrypt requests, indicating targeted blocking. Let’s Encrypt employees are currently attempting to reach out to the owners of the NS servers for the .top domain but have been unsuccessful thus far.

/Reports, release notes, official announcements.