Michał "rysiek" Woźniak · 🇺🇦Feb 19

Oh this is wonderful news:

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation
https://letsencrypt.org/2026/02/18/dns-persist-01.html

> Instead of publishing a new challenge record for each issuance, you publish a standing authorization in the form of a TXT record that identifies both the CA and the specific ACME account you authorize to issue for this domain.

#DevOps #SysAdmin #InfoSec

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation

When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure.

Show threadEpic NullFeb 19
@rysiek Does this mean easier access to certs without an api to create cert records? Sweet!
Show threadJohn-Mark Gurney
@Epic_Null
More like easier/better cert access to those who can't dynamically/programmatically change their DNS, for reasons like their DNS provider doesn't support it or their IT department refuses to allow it.
@rysiek
Feb 20 at 10:00pmWeb
Show threadMichał "rysiek" Woźniak · 🇺🇦Feb 21
@encthenet @Epic_Null the big thing are wildcard certs.
Show threadEpic NullFeb 21
@rysiek @encthenet ironically that's what I was trying to geet last weekend.
Show threadOwl EyesFeb 21
@rysiek @encthenet @Epic_Null it will be a game-changer when it comes out
Show threadEpic NullFeb 23

@d1 @rysiek @encthenet Given I now need a cert for an email cert on a domain that matches the rest of my site and have a single IP to service all subdomains but also multiple subdomains...

Yeah. It will be.