Let’s Encrypt Introduces DNS-PERSIST-01 for Persistent ACME DNS Validation

With DNS-PERSIST-01, Let's Encrypt users can validate their domains without having to update DNS records every time they issue or renew a certificate.

Let's Encrypt Introduces DNS-PERSIST-01 for Persistent ACME DNS Validation

Let’s Encrypt now supports a new ACME challenge type called DNS-PERSIST-01. This method uses a persistent DNS-based authorization model to make certificate issuance and renewal easier and less time-consuming.

This new challenge (based on an IETF draft) offers an alternative to the popular DNS-01 method. Of course, DNS-01 is still fully supported, but DNS-PERSIST-01 changes how you prove control over your domain during validation. Here’s how it works.

With DNS-01, you need to publish a new TXT record under _acme-challenge.<domain> every time you issue or renew a certificate. The ACME client adds a one-time token from the CA, which the CA then checks using DNS queries. This approach gives fresh proof of DNS control each time, but it also means you have to keep updating DNS records and wait for them to propagate.

DNS-PERSIST-01 changes this by letting you set up a permanent authorization record. Instead of adding a new token each time, you create a persistent TXT record at _validation-persist.<domain> that allows a specific ACME account and CA to issue certificates for your domain.

A typical record lists the CA’s issuer domain and the ACME account URI. After you publish it, you can reuse it for new certificates and renewals, so you no longer need to update DNS records each time.

This new method also lets you control the scope of authorization. By default, it only covers the specific domain you validated and stays valid indefinitely. If you add a policy=wildcard parameter, you can issue wildcard certificates like *.example.com and cover all matching subdomains.

Additionally, you can add an optional persistUntil parameter to set how long the authorization lasts. This timestamp tells you how long the record can be used for new validations. After it expires, you’ll need to update or replace the record, so you’ll need to keep an eye on it to avoid losing authorization by accident.

Finally, it’s worth noting that you can authorize multiple certificate authorities simultaneously. To do this, publish multiple TXT records at the same _validation-persist.<domain> label, each with the issuer-domain-name of a CA. When validating, each CA only checks the records that match its own identifier.

To learn more, check out the official announcement.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts