DNS-Persist-01: A New Model for DNS-Based Challenge Validation

Managing production certificates using DNS-based challenge validation has always meant wrestling with DNS churn, propagation delays, and brittle automation. Now, the DNS-PERSIST-01 challenge—recently adopted by Let’s Encrypt and formalized in an IETF draft—offers a fundamentally different approach: persistent, account-bound DNS authorization. This new model is poised to change how DevOps teams handle certificate issuance, lifecycle management, and incident response. Here’s what DNS-PERSIST-01 means for your infrastructure, how to implement it securely, and what operational pitfalls to watch for as this method gains traction.

Key Takeaways:
You landed the Cloud Storage of the future internet.
Use it NOW and forever!
Support the growth of a Team File sharing system that works for people in China, USA, Europe, APAC and everywhere else.

DNS-PERSIST-01 introduces a persistent DNS TXT record for challenge validation, streamlining domain authorization and minimizing DNS changes.

Let’s Encrypt is pioneering this method, with other CAs and ACME clients expected to follow as the draft matures.

This model reduces operational risk and supports better automation but shifts the security burden to ongoing record management.

You’ll learn the protocol mechanics, see full production configuration examples, and get practical troubleshooting and security advice tailored for live operations.

Why DNS-PERSIST-01 Matters Now

The traditional DNS-01 challenge—central to ACME-based certificate automation—has enabled organizations to scale HTTPS across fleets, but it comes with operational baggage. For every certificate issuance or renewal, a new TXT record must be published, validated, and then (ideally) cleaned up. This process introduces:

High-frequency DNS updates that increase the risk of misconfiguration and race conditions
Time-to-issuance delays due to unpredictable DNS propagation
Complex automation scripts that must handle edge cases, retries, and DNS provider inconsistencies
Security blind spots when stale records are left behind, potentially exposing validation data

For organizations deploying certificates across hundreds or thousands of domains, this model is increasingly unsustainable. Automation can break silently if DNS APIs change, and incident response becomes more difficult when tracking down which transient record is responsible for a failed validation or a rogue issuance.

One ring to rule them all.

J. R. R. Tolkien

One Cloud Storage to Share with Them All: China, USA, Europe, APAC…

Sesame Disk by NiHao Cloud

This is where DNS-PERSIST-01 offers a breakthrough. As described in the IETF draft and highlighted in Let’s Encrypt’s announcement, the new method replaces ephemeral records with a single, long-lived TXT record that proves domain control for a given ACME account and CA. This change is especially compelling for:

Large enterprises automating certificate management at scale
DevOps teams seeking “set-and-forget” automation aligned with immutable infrastructure
Organizations with strict compliance requirements for change management and auditability

This evolution mirrors trends discussed in our coverage of persistent relay architectures and legacy infrastructure support—where minimizing operational churn directly impacts reliability and security.

It’s important to note that this shift also brings new risks and design considerations, such as the exposure of persistent account information in DNS and the need for explicit record rotation policies. As with any foundational change, DNS-PERSIST-01 is not a free lunch; it requires thoughtful adoption and a clear operational model.

Now at a Reduced Price: On-Demand Cloud Storage and Collaboration for Teams!

NiHao Cloud

Start with pay-as-you-go pricing! The cloud storage solution that works wherever your team is—China, America, Europe, and more—all at the same time!

How DNS-PERSIST-01 Works

Protocol Deep Dive

DNS-PERSIST-01 changes the semantics of DNS-based validation by introducing a persistent TXT record—typically at _acme-persist.YOURDOMAIN.TLD—that encodes authorization for a specific ACME account and CA. This record is consulted by the CA for every certificate issuance request related to that account, up until the record is removed or altered.

The TXT record must include:

ACME account key identifier (unique to your client’s account with the CA)
CA identifier (e.g., Let’s Encrypt’s unique string)
Optional expiration timestamp and additional structured attributes, as outlined in the draft

Unlike DNS-01, you do not need to update the record for each new certificate—lowering the risk of missed renewals or failed automation. The CA checks that the record matches the details of the request and, if so, authorizes issuance.

Sample Persistent TXT Record

Assume you want to authorize api.example.com for Let’s Encrypt using DNS-PERSIST-01. Your DNS entry would look like:

# At _acme-persist.api.example.com
_acme-persist.api.example.com.  3600  IN  TXT  "v=acme-persist-01; ca=letsencrypt.org; account=1234abcd5678efgh; exp=2027-01-01T00:00:00Z"

This record will remain valid for all future certificate requests by the specified account, until the exp date or until you manually rotate or remove it. The persistent nature of the record is what differentiates this approach from legacy DNS-01 validation, where a new random value is required for every operation.

Real-World Use Cases

Multi-domain SaaS environments: Where each tenant or environment can be mapped to a persistent authorization, vastly reducing DNS API calls across CI/CD pipelines.
IoT deployments: Devices can securely renew certificates without requiring dynamic DNS updates, minimizing connectivity risk in bandwidth-constrained environments.
Disaster recovery: Reissuing certificates after an incident becomes faster, since the persistent authorization remains valid even if automation is temporarily down.

Comparison Table: DNS-01 vs DNS-PERSIST-01

Aspect	DNS-01	DNS-PERSIST-01
Record Lifecycle	Ephemeral (per issuance/renewal)	Persistent (per account/CA)
Automation Complexity	High (frequent DNS updates, error handling)	Low (single record, less churn)
Operational Risk	DNS update failures, propagation lag	Record rotation, persistent exposure
Security Considerations	Short-lived risk, lower impact of compromise	Long-lived risk, requires monitoring
Ideal Use Case	Simple, small environments	Enterprise, multi-domain, automated fleet

Production Implementation Guide

Prerequisites

DNS provider with robust API and support for custom TXT records
Up-to-date ACME client supporting DNS-PERSIST-01 (check with vendor or Let’s Encrypt’s release notes)
Let’s Encrypt (or compatible CA) account with access to account key identifier
Change management and monitoring tools to track DNS record lifecycle

Step 1: Gather Account and CA Identifiers

First, you’ll need to retrieve your ACME account’s key thumbprint and the CA’s identifier. For acme.sh:

acme.sh --info
# Look for "ACCOUNT_THUMBPRINT"

For Certbot, inspect the account metadata file in /etc/letsencrypt/accounts or run:

cat /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json

Step 2: Create the _acme-persist TXT Record

Use your DNS provider’s CLI or API to create the persistent record. Here’s a Terraform configuration for AWS Route 53:

resource "aws_route53_record" "acme_persist" {
  zone_id = var.zone_id
  name    = "_acme-persist.api.example.com"
  type    = "TXT"
  ttl     = 3600
  records = [
    "v=acme-persist-01; ca=letsencrypt.org; account=1234abcd5678efgh; exp=2027-01-01T00:00:00Z"
  ]
}

After applying, verify with dig:

dig TXT _acme-persist.api.example.com +short

Expect the exact value you configured—any deviation will cause validation to fail.

Step 3: Configure Your ACME Client

Update your ACME client to use DNS-PERSIST-01. For acme.sh:

acme.sh --issue --dns --challenge-algo dns-persist-01 -d api.example.com

For Certbot, monitor the changelog for DNS-PERSIST-01 support. If your client does not yet support the new challenge, test with a staging environment or contribute to open-source client development.

Step 4: Monitor and Rotate as Needed

Integrate DNS record monitoring with your observability stack to alert on changes or deletions
Establish a periodic review process for all _acme-persist records, especially before account rotation or CA changes
Document authorization lifespans and set calendar reminders for planned expirations

Step 5: Disaster Recovery and Revocation

If an account key is compromised, immediately delete or update the persistent TXT record to prevent unauthorized issuance. Practice this workflow in staging to ensure a smooth response in production.

Security and Operational Considerations

Security Analysis

Persistent authorizations shift the attack surface: compromising the DNS zone or the ACME account enables ongoing certificate issuance until the _acme-persist record is revoked. This is a trade-off—fewer DNS updates mean fewer chances for automation failure, but a single lapse in DNS security can have a longer impact. To mitigate:

Use strong, regularly rotated API credentials for DNS provider access
Apply least-privilege principles: only automation and authorized admins should have write access to DNS
Monitor logs for unexpected ACME certificate issuances and cross-check against planned operations
Configure short exp values for high-security zones, forcing regular review and renewal of authorization

Some industry voices have flagged the operational challenge of updating account or CA data in all relevant DNS records when changes occur (see Hacker News feedback). Address this by integrating record updates into your infrastructure-as-code and change management pipelines.

Operational Best Practices

Keep an up-to-date inventory of all _acme-persist records across your domains
Automate notifications for record expiration or drift using your configuration management system
Test the full lifecycle: creation, update, rotation, and revocation of persistent records in a non-production environment before going live
For highly regulated environments, document and audit every change to persistent DNS authorization as part of compliance procedures

For a broader view on how persistent infrastructure changes affect long-term operations, see our analysis of legacy OS support and operational continuity.

Troubleshooting and Common Pitfalls

Common Errors and Solutions

Symptom	Potential Cause	Action
ACME client “authorization failed”	Incorrect account or CA ID in TXT record; missing `exp` field (if required)	Check ACME client logs for expected values; verify with dig; correct record in DNS
No response from Let’s Encrypt	DNS propagation lag, incorrect record name, or high TTL on previous record	Use `dig` repeatedly; clear DNS caches; lower TTL during transition
Certificate issuance halts after account/CA change	Stale _acme-persist record references old identifiers	Update DNS record before making changes; coordinate in change window
Unexpected certificate issuance after incident	Persistent TXT record left in DNS after account compromise	Delete or update record immediately; audit for unauthorized certificates

Pro Tips for Reliable Operations

Use short TTLs (60-300 seconds) during record deployment and rotation phases, then increase for operational stability
Integrate DNS record checking into your CI/CD pipeline; fail deployments if records are missing or incorrect
Schedule quarterly audits of all persistent DNS records, cross-referencing with ACME account inventory
In multi-cloud or multi-provider environments, script updates across all DNS providers to ensure consistency
Set up DNS anomaly detection in your SIEM for unauthorized or unexpected _acme-persist changes

For more troubleshooting strategies, see our production deployment guides for distributed architectures.

Upgrade & share files freely!

Unlock the full potential of cloud storage by subscribing today. Logo Sesame Disk

Enjoy seamless access and sharing across China, the USA, Europe, and just everywhere!

Conclusion and Next Steps

DNS-PERSIST-01 is a meaningful leap for DNS-based challenge validation, offering a more robust, automation-friendly, and scalable model for modern certificate management. With Let’s Encrypt’s implementation setting the industry pace, it’s likely this approach will become the new standard as the IETF draft matures and more ACME clients add support. The persistent record model reduces operational complexity but demands new rigor in record management, monitoring, and incident response.

Immediate next steps for teams include:

Reviewing your DNS provider capabilities and automation for support of persistent TXT records
Piloting DNS-PERSIST-01 on non-critical domains to understand lifecycle management in your environment
Improving monitoring and alerting for all certificate issuance workflows, especially around persistent authorizations
Updating change management and security policies to reflect the new risks and procedures introduced by persistent DNS authentication

For additional context on securing production infrastructure and adapting to new certificate workflows, see our coverage of recent browser zero-days and strategies for resilient peer relay deployments. Continue monitoring Let’s Encrypt’s release notes and the IETF draft for ongoing specification changes and best practices.

The move to persistent DNS authorization may not be a silver bullet for every environment, but for high-scale, automation-driven operations, it’s a foundational improvement that’s worth evaluating—and piloting—today.