DNS-PERSIST-01: A New Model for DNS-based Challenge Validation – Let’s Encrypt Blog DNS-PERSIST-01: A New Model for DNS-based Challenge Validation By Samantha Frank · February 18, 2026 When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges . For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure. We are implementing support for a new ACME challenge type, DNS-PERSIST-01, based on a new IETF draft specification . As the name implies, it uses DNS as the validation mechanism, but replaces repeated demonstrations of control with a persistent authorization record bound to a specific ACME account and CA. The draft describes this method as being “particularly suited for environments where traditional challenge methods are impractical, such as IoT deployments, multi-tenant platforms, and scenarios requiring batch certificate operations”. DNS-01 Proves Control Repeatedly With DNS-01, validation relies on a one-time token generated by us. Your ACME client publishes a TXT record containing that token at _acme-challenge. , and we query DNS to confirm that it matches the expected value. Because each authorization requires a new token, DNS updates become part of the issuance workflow. The benefit is that each successful validation provides fresh proof that you currently control DNS for the name being issued. In practice, this often means DNS API credentials live somewhere in your issuance pipeline, validation attempts involve waiting for DNS propagation, and DNS changes happen frequently — sometimes many times per day in large deployments. Many subscribers accept these tradeoffs, but others would prefer to keep DNS updates and sensitive credentials out of their issuance path. DNS-PERSIST-01 Authorizes Persistently DNS-PERSIST-01 approaches validation differently. Instead of publishing a new challenge record for each issuance, you publish a standing authorization in the form of a TXT record that identifies both the CA and the specific ACME account you authorize to issue for this domain. For the hostname example.com, the record would live at _validation-persist.example.com : _validation-persist.example.com. IN TXT ( ” letsencrypt.org ;” ” accounturi=https:// acme-v02.api.letsencrypt.org /acme/acct/ 1234567890 ” ) Once this record exists, it can be reused for new issuance and all subsequent renewals. Operationally, this removes DNS changes from the critical path. Security and Operational Tradeoffs With DNS-01, the sensitive asset is DNS write access. In many deployments, DNS API credentials are dis

Source: Hacker News | Original Link