Michał "rysiek" Woźniak · 🇺🇦Feb 19

Oh this is wonderful news:

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation
https://letsencrypt.org/2026/02/18/dns-persist-01.html

> Instead of publishing a new challenge record for each issuance, you publish a standing authorization in the form of a TXT record that identifies both the CA and the specific ACME account you authorize to issue for this domain.

#DevOps #SysAdmin #InfoSec

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation

When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure.

Show threadSnowFeb 20
@rysiek Honestly this is great news but sadly we don't use DNS verification we use HTTP verification
Show threadMichał "rysiek" Woźniak · 🇺🇦Feb 20

@snow I might switch from HTTP to DNS-PERSIST-01 as that makes it possible to issue wildcard certs.

Plus, it does not require any HTTP endpoint to be exposed. Which means it is perfect for services on the intranet, not exposed to the Internet, for example.

Show threadmaxolotlFeb 23
@rysiek @snow I'm curious, what's prevented you from using DNS-01 challenges? Those also don't require any exposed HTTP endpoint.
Show threadMichał "rysiek" Woźniak · 🇺🇦
@mxl @snow but they require write-enabled API on the part of the DNS hosting, which is rarely a given.
Feb 23 at 4:08pmWeb
Show threadmaxolotlFeb 23
@rysiek Fair, and even if they do allow writes each provider needs bespoke support from the ACME client.
Show threadMichał "rysiek" Woźniak · 🇺🇦Feb 23
@mxl there are certain standardized APIs, but they are not widely supported in my experience