DNS-Persist-01 is a proposed new validation method for the Automated Certificate Management Environment (ACME) protocol that allows Certificate Authorities (CAs) to verify domain control through persistent DNS TXT records rather than ephemeral challenges. This approach eliminates the need for real-time DNS updates during certificate renewals—a critical capability as the industry moves toward shorter certificate lifetimes of 47 days by March 2029 under the CA/Browser Forum’s SC-081v3 ballot (with Let’s Encrypt targeting 45 days on their own schedule) [Updated March 2026]. By setting a DNS record once and reusing it across multiple certificate issuances, DNS-Persist-01 addresses automation challenges in IoT deployments, multi-tenant platforms, and environments with strict change management processes.
What Is DNS-Persist-01?
DNS-Persist-01 is an Internet-Draft specification currently under development by the IETF ACME working group. The draft, authored by engineers from Fastly, Crosslayer Labs, and Amazon Trust Services, defines a new challenge type that proves domain control by confirming the presence of a persistent DNS TXT record containing CA and account identification information. (IETF. “Automated Certificate Management Environment (ACME) Challenge for Persistent DNS TXT Record Validation.” draft-ietf-acme-dns-persist-00, November 2025)
The core innovation of DNS-Persist-01 lies in its departure from the ephemeral nature of existing DNS-based validation. Traditional ACME challenges like dns-01 require operators to create unique TXT records for each certificate request or renewal—records that typically exist only for the duration of the validation process. DNS-Persist-01, by contrast, establishes validation records designed to persist and be reused across multiple certificate issuances over extended periods. (Heurich, S., Birge-Lee, H., and Slaughter, M. “ACME Challenge for Persistent DNS TXT Record Validation.” IETF Internet-Draft, November 2025)
The specification defines the validation record format using the issue-value syntax from RFC 8659 (CAA records), incorporating:
- An issuer-domain-name identifying the CA
- A mandatory accounturi parameter binding the validation to a specific ACME account
- An optional policy=wildcard parameter enabling wildcard and subdomain certificate issuance
- An optional persistUntil parameter specifying when the validation record expires (IETF. “DNS Certification Authority Authorization (CAA) Resource Record.” RFC 8659, November 2019)
The DNS TXT record is provisioned at _validation-persist.example.com for the domain example.com, using a standardized label that signals persistent validation intent to CAs.
How Does DNS-Persist-01 Work?
The DNS-Persist-01 validation process operates through a well-defined sequence that balances persistence with security controls:
Challenge Initiation
When an ACME client requests validation, the CA provides a challenge object containing:
- The challenge type (
dns-persist-01) - An array of
issuer-domain-namesthat the client may use - The URL for challenge response submission (IETF. “Automatic Certificate Management Environment (ACME).” RFC 8555, March 2019)
The client selects one of the provided issuer domain names and provisions a DNS TXT record at the Authorization Domain Name (formed by prepending _validation-persist to the domain being validated).
Record Structure
A basic validation record for example.com looks like this:
_validation-persist.example.com. IN TXT ("authority.example;"" accounturi=https://ca.example/acct/123")For wildcard validation support, the record includes the policy parameter:
_validation-persist.example.com. IN TXT ("authority.example;"" accounturi=https://ca.example/acct/123;"" policy=wildcard")The specification also supports time-bounded validation through the persistUntil parameter, which accepts a UNIX timestamp after which the record should no longer be considered valid. (Let’s Encrypt. “ACME Challenge Types.” Let’s Encrypt Documentation, 2026)
Just-in-Time Validation
A key optimization in the specification is the “Just-in-Time Validation” mechanism. When processing a new authorization request, the CA may perform an immediate DNS lookup for existing _validation-persist TXT records. If a valid record exists matching the requesting account, the CA can transition the authorization to “valid” status instantly without returning a pending challenge to the client. (Fastly. “DNS-Persist-01: Persistent Validation for ACME.” Fastly Blog, December 2025)
This optimization maintains the ACME state machine defined in RFC 8555 while enabling seamless renewal workflows for pre-validated domains.
Multi-Issuer Support
The specification explicitly supports multi-CA environments. A domain may authorize multiple CAs simultaneously by provisioning separate TXT records for each issuer at the same DNS label. Each CA filters for records matching its issuer-domain-name and ignores others, following a pattern similar to CAA records. (CA/Browser Forum. “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.” Version 2.0.9, 2025)
Why Does DNS-Persist-01 Matter?
The significance of DNS-Persist-01 becomes clear when examined against the backdrop of industry-wide certificate lifetime reductions and the operational challenges they create.
The Shorter Certificate Timeline
In December 2025, Let’s Encrypt announced a phased reduction of certificate validity periods from 90 days to 47 days by March 2029, with the authorization reuse period shrinking from 30 days to 7 hours. (Let’s Encrypt. “New certificate lifetime and authorization reuse schedules.” Let’s Encrypt Blog, December 2025) The CA/Browser Forum’s SC-081v3 ballot, passed in 2025, establishes an industry-wide schedule:
| Effective Date | Maximum Validity Period |
|---|---|
| March 15, 2026 | 200 days (now in effect) |
| March 15, 2027 | 100 days |
| March 15, 2029 | 47 days |
The first milestone in this timeline, the reduction to 200-day maximum validity, took effect on March 15, 2026. The next reduction to 100 days follows in March 2027. Organizations must demonstrate domain control more frequently as each phase takes effect, making real-time DNS updates for each validation increasingly burdensome.
Use Cases Addressed
DNS-Persist-01 specifically targets environments where traditional challenge methods prove impractical:
IoT Deployments: Devices that cannot host HTTP services or coordinate real-time DNS updates benefit from set-and-forget validation records. (Amazon Trust Services. “DNS-Persist-01 for IoT Device Certificates.” AWS Security Blog, January 2026)
Multi-Tenant Platforms: Edge compute environments where DNS zone management is distinct from certificate subscription can decouple these responsibilities.
Batch Operations: Organizations requiring offline or delayed certificate issuance can pre-validate domains without maintaining live infrastructure connections.
Wildcard Certificates: Scenarios requiring wildcard certificates benefit from proving domain control once and reusing that validation over extended periods. (Crosslayer Labs. “Wildcard Certificates with DNS-Persist-01.” Crosslayer Technical Blog, November 2025)
Comparison with Existing Methods
| Feature | HTTP-01 | DNS-01 | DNS-Persist-01 |
|---|---|---|---|
| Validation mechanism | HTTP request to .well-known/acme-challenge/ | Ephemeral DNS TXT record | Persistent DNS TXT record |
| Real-time infrastructure required | Yes | Yes | No (after initial setup) |
| Supports wildcard certificates | No | Yes | Yes (with policy=wildcard) |
| IoT-friendly | Limited | Limited | Yes |
| Multi-tenant support | Limited | Limited | Yes |
| Account binding | Session-only | Session-only | Persistent |
| Record lifetime | Minutes | Minutes | Configurable (TTL-based) |
Security Considerations
The DNS-Persist-01 specification incorporates extensive security analysis addressing the risks inherent in persistent validation records.
Account Binding Security
The accounturi parameter provides strong binding between domain validation and specific ACME accounts. This binding persists across account key rotations, ensuring continuity without requiring DNS record updates. (IETF. “ACME Account Key Rotation.” RFC 8555 Section 7.3.5, March 2019)
Persistent Record Risks
The persistence of validation records creates extended windows of vulnerability compared to traditional methods. If an attacker gains control of a DNS zone containing persistent validation records, they can potentially obtain certificates for validated domains until those records are removed. (Birge-Lee, H., et al. “Security Analysis of Persistent DNS Validation.” ACM CCS 2025)
The specification recommends mitigation through:
- DNS providers with strong authentication and access controls
- DNSSEC implementation where possible
- Regular monitoring of DNS zones for unauthorized changes
- Periodic rotation of validation records
Subdomain Validation Risks
The policy=wildcard parameter creates significant security implications. Organizations using this feature must carefully control subdomain delegation and monitor for unauthorized subdomains, as the validation scope extends to all subdomains of the validated FQDN. (Slaughter, M. “Subdomain Delegation Risks in ACME.” IETF ACME Working Group Mailing List, October 2025)
Potential risks include:
- Subdomain takeover attacks on abandoned subdomains
- Unauthorized certificate issuance for subdomains controlled by different entities
- Confusion about authority delegation across organizational boundaries
DNS Security Measures
The specification strongly recommends DNSSEC validation on DNS-Persist-01 TXT records to ensure record integrity. For CAs subject to CA/Browser Forum requirements, Multi-Perspective Issuance Corroboration (MPIC)—validating domain control from multiple network vantage points—is essential to defend against BGP hijacking and DNS spoofing attacks. (CA/Browser Forum. “Multi-Perspective Issuance Corroboration.” Ballot SC-081v3, 2025)
Implementation Timeline
Let’s Encrypt has indicated that DNS-Persist-01 is expected to become available in 2026. (Let’s Encrypt. “Upcoming Features: 2026 Roadmap.” Let’s Encrypt Community Forum, January 2026) The feature is being developed in coordination with the CA/Browser Forum and IETF to ensure alignment with evolving baseline requirements.
As certificate lifetimes decrease according to the established timeline, DNS-Persist-01 will become increasingly critical for maintaining automation without requiring excessive DNS infrastructure access. The first phase of that timeline, the 200-day maximum, is now in effect as of March 2026. The 7-hour authorization reuse period scheduled for March 2029 [Updated March 2026] would otherwise require near-constant DNS updates for high-volume certificate operations.
Frequently Asked Questions
Q: How does DNS-Persist-01 differ from the existing DNS-01 challenge? A: DNS-01 requires creating a unique, ephemeral TXT record for each certificate request or renewal, while DNS-Persist-01 uses a persistent TXT record containing account identification that can be reused across multiple certificate issuances without requiring real-time DNS updates.
Q: Is DNS-Persist-01 secure enough for production use? A: The specification design incorporates robust security measures including mandatory account binding, optional DNSSEC validation, multi-perspective issuance corroboration, and time-bounded validation through the persistUntil parameter. However, DNS-Persist-01 is not yet available for production use — it remains an IETF Internet-Draft as of April 2026, with Let’s Encrypt targeting deployment later in 2026. [Updated April 2026]
Q: When will DNS-Persist-01 be available from Let’s Encrypt? A: Let’s Encrypt expects DNS-Persist-01 to be available in 2026, though the exact date depends on finalization of the IETF specification and implementation in their Boulder CA software.
Q: Can I use DNS-Persist-01 with multiple certificate authorities simultaneously? A: Yes, the specification explicitly supports multi-issuer environments. Domain owners can provision separate TXT records for each authorized CA at the same DNS label, with each CA filtering for records matching its issuer-domain-name.
Refresh notes for the editorial log:
- **Fact-check status: partial.** WebSearch and WebFetch were rate-limited; could not re-verify source URLs or check for draft version bumps. All claims carried forward from the March 2026 refresh.- **One calendar update applied:** The certificate lifetime table's March 15, 2026 milestone (200-day max) is now marked as in effect, and the surrounding prose updated to reflect this. The previous "[Updated March 2026]" markers on unchanged claims (March 2029 targets) were left in place since those facts were not re-verified.- **Temporal reference updated:** FAQ answer about production availability changed from "early 2026" to "April 2026" to reflect current date.- **No structural or voice changes.** No new sources added; no dead links confirmed (could not check).