Skip to content

Support DNS-PERSIST-01 and separate DNS changes from certificate issuance #1152

Description

@shibayan

Background

Let’s Encrypt has announced plans to support DNS-PERSIST-01.

DNS-PERSIST-01 replaces per-issuance _acme-challenge TXT record updates with a persistent authorization record at _validation-persist.<FQDN>. The record is bound to a specific CA and ACME account and can be reused for future issuance and renewal.

This can remove DNS updates, DNS propagation waits, and DNS API credentials from the certificate issuance and renewal critical path.

References:

Direction

DNS-PERSIST-01 support should not automatically create, update, or delete _validation-persist records.

Treat DNS-PERSIST-01 TXT records as persistent issuance authorization managed through DNS change management, IaC, or an explicit DNS administrator approval process.

The application should be responsible for:

  • generating and displaying the required _validation-persist TXT record value
  • verifying existing DNS records in read-only mode
  • making policy=wildcard and persistUntil behavior explicit
  • warning when persistUntil is near expiry or expired
  • documenting ACME account key protection requirements
  • avoiding DNS write credentials during issuance and renewal

Tasks

  • Design DNS-PERSIST-01 as a separate validation mode from DNS-01
  • Detect whether the ACME server supports DNS-PERSIST-01
  • Generate the TXT record value from the ACME account URI and issuer domain name
  • Implement read-only verification for _validation-persist.<FQDN>
  • Determine and display whether policy=wildcard is required for wildcard certificates
  • Display and warn about persistUntil when configured
  • Expose required DNS records in the UI / CLI / API
  • Make DNS provider write credentials unnecessary when DNS-PERSIST-01 is used
  • Add documentation for the operating model, security considerations, and rollback/removal procedures

Acceptance Criteria

  • The application can generate DNS-PERSIST-01 TXT record values
  • The application can verify _validation-persist.<FQDN> TXT records in read-only mode
  • Certificate issuance and renewal do not automatically modify DNS records when DNS-PERSIST-01 is used
  • The presence or absence of policy=wildcard is clearly shown to the user
  • Expired or soon-to-expire persistUntil values are detected
  • Documentation explains that the ACME account key becomes the primary sensitive asset
  • Existing DNS-01 behavior and DNS-PERSIST-01 behavior remain clearly separated

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions