DNS-Persist-01: A New Model for DNS-Based Challenge Validation
5 hours ago
- #DNS-PERSIST-01
- #Let’s Encrypt
- #ACME
- Let’s Encrypt introduces DNS-PERSIST-01, a new ACME challenge type for certificate validation.
- DNS-PERSIST-01 replaces the temporary tokens of DNS-01 with a persistent authorization record.
- The new method reduces operational costs by eliminating frequent DNS updates and propagation delays.
- Authorization is bound to a specific ACME account and CA, enhancing security by limiting DNS credential distribution.
- DNS-PERSIST-01 supports wildcard certificates and includes scope controls with optional parameters like policy=wildcard.
- Subscribers can set a persistUntil timestamp to limit authorization duration, requiring updates before expiration.
- Multiple CAs can be authorized simultaneously by publishing multiple TXT records under the same DNS label.
- The method was standardized by the CA/Browser Forum and IETF ACME working group in October 2025.
- Pebble, Let’s Encrypt's test CA software, already supports DNS-PERSIST-01, with client implementations in progress.
- Staging rollout is planned for late Q1 2026, with production expected in Q2 2026.