Background
Let’s Encrypt has announced plans to support DNS-PERSIST-01.
DNS-PERSIST-01 replaces per-issuance _acme-challenge TXT record updates with a persistent authorization record at _validation-persist.<FQDN>. The record is bound to a specific CA and ACME account and can be reused for future issuance and renewal.
This can remove DNS updates, DNS propagation waits, and DNS API credentials from the certificate issuance and renewal critical path.
References:
Direction
DNS-PERSIST-01 support should not automatically create, update, or delete _validation-persist records.
Treat DNS-PERSIST-01 TXT records as persistent issuance authorization managed through DNS change management, IaC, or an explicit DNS administrator approval process.
The application should be responsible for:
- generating and displaying the required
_validation-persist TXT record value
- verifying existing DNS records in read-only mode
- making
policy=wildcard and persistUntil behavior explicit
- warning when
persistUntil is near expiry or expired
- documenting ACME account key protection requirements
- avoiding DNS write credentials during issuance and renewal
Tasks
- Design DNS-PERSIST-01 as a separate validation mode from DNS-01
- Detect whether the ACME server supports DNS-PERSIST-01
- Generate the TXT record value from the ACME account URI and issuer domain name
- Implement read-only verification for
_validation-persist.<FQDN>
- Determine and display whether
policy=wildcard is required for wildcard certificates
- Display and warn about
persistUntil when configured
- Expose required DNS records in the UI / CLI / API
- Make DNS provider write credentials unnecessary when DNS-PERSIST-01 is used
- Add documentation for the operating model, security considerations, and rollback/removal procedures
Acceptance Criteria
- The application can generate DNS-PERSIST-01 TXT record values
- The application can verify
_validation-persist.<FQDN> TXT records in read-only mode
- Certificate issuance and renewal do not automatically modify DNS records when DNS-PERSIST-01 is used
- The presence or absence of
policy=wildcard is clearly shown to the user
- Expired or soon-to-expire
persistUntil values are detected
- Documentation explains that the ACME account key becomes the primary sensitive asset
- Existing DNS-01 behavior and DNS-PERSIST-01 behavior remain clearly separated
Background
Let’s Encrypt has announced plans to support DNS-PERSIST-01.
DNS-PERSIST-01 replaces per-issuance
_acme-challengeTXT record updates with a persistent authorization record at_validation-persist.<FQDN>. The record is bound to a specific CA and ACME account and can be reused for future issuance and renewal.This can remove DNS updates, DNS propagation waits, and DNS API credentials from the certificate issuance and renewal critical path.
References:
Direction
DNS-PERSIST-01 support should not automatically create, update, or delete
_validation-persistrecords.Treat DNS-PERSIST-01 TXT records as persistent issuance authorization managed through DNS change management, IaC, or an explicit DNS administrator approval process.
The application should be responsible for:
_validation-persistTXT record valuepolicy=wildcardandpersistUntilbehavior explicitpersistUntilis near expiry or expiredTasks
_validation-persist.<FQDN>policy=wildcardis required for wildcard certificatespersistUntilwhen configuredAcceptance Criteria
_validation-persist.<FQDN>TXT records in read-only modepolicy=wildcardis clearly shown to the userpersistUntilvalues are detected