Let's Encrypt Announces Persistent DNS Validation

Let’s Encrypt Announces Persistent DNS Validation — No More Recurring DNS Updates

Let’s Encrypt Announces Persistent DNS Validation — No More Recurring DNS Updates

February 24, 2026

Let’s Encrypt has announced a significant evolution in how it validates domain control for certificate issuance.

On February 18, 2026, the nonprofit Certificate Authority published details of a new ACME challenge type called DNS-PERSIST-01, designed to eliminate one of the most persistent pain points in automated certificate management: the need to repeatedly update DNS records at every renewal.

The new mechanism is currently available in Let’s Encrypt’s test environment. A staging rollout is planned for late Q1 2026, with full production deployment targeted for sometime in Q2 2026.

The Problem with DNS-01

When requesting a TLS certificate from Let’s Encrypt, applicants must prove they control the domain in question. For wildcard certificates or deployments where public infrastructure cannot be exposed, the DNS-01 challenge has long been the standard choice — and it works well. But it carries a significant operational burden.

With DNS-01, every certificate issuance or renewal requires generating a fresh one-time token, publishing it as a TXT record at _acme-challenge.<your-domain>, waiting for DNS propagation, and then cleaning it up afterward. As certificate validity periods get shorter — Let’s Encrypt is gradually reducing them from 90 days to 45 days by 2028 — this cycle repeats more and more frequently.

The core security concern is that automation tools managing this process must hold live DNS API credentials. In practice, this means API keys for providers like Cloudflare, AWS Route 53, or Alibaba Cloud end up embedded in certificate management pipelines — creating an attack surface that grows with every new integration or deployment.

How DNS-PERSIST-01 Works

DNS-PERSIST-01 takes a fundamentally different approach. Rather than publishing a new challenge record for each issuance, the domain owner sets up a single, persistent TXT record that authorizes a specific ACME account at a specific CA to issue certificates for that domain.

For a domain like example.com, the record is published at _validation-persist.example.com:

_validation-persist.example.com. IN TXT (
  "letsencrypt.org;"
  "accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234567890"
)

Once set, this record can be reused for all future issuances and renewals — no further DNS updates required. This removes DNS changes entirely from the critical path of certificate automation.

The approach shifts the security model: instead of protecting DNS API credentials throughout the automation pipeline, the key asset to protect becomes the ACME account private key. That’s a narrower, more controllable secret.

Scope Controls and Optional Expiration

DNS-PERSIST-01 introduces explicit controls over the authorization’s scope and duration.

Wildcard certificates: Adding policy=wildcard extends the authorization to cover wildcard certificates (e.g., *.example.com) and all subdomains:

_validation-persist.example.com. IN TXT (
  "letsencrypt.org;"
  "accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234567890;"
  "policy=wildcard"
)

Optional expiration: For those who are not comfortable with an open-ended authorization, a persistUntil timestamp (expressed as UTC seconds since 1970-01-01) can limit how long the record remains valid:

_validation-persist.example.com. IN TXT (
  "letsencrypt.org;"
  "accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234567890;"
  "persistUntil=1767225600"
)

Users relying on persistUntil should ensure they have monitoring or reminders in place, as an expired record will block certificate renewals.

Multiple CAs: Multiple TXT records can be published at the same DNS label, each authorizing a different CA, enabling multi-CA strategies without DNS record conflicts.

Standardization and Industry Backing

DNS-PERSIST-01 is not a Let’s Encrypt-only initiative. The underlying specification was adopted by the IETF ACME working group in October 2025. The same month, the CA/Browser Forum passed ballot SC-088v3 — defining the method formally as “DNS TXT Record with Persistent Value” (section 3.2.2.4.22) — unanimously. Although the IETF document remains an active draft, Let’s Encrypt notes the core mechanisms are not expected to change substantially before finalization.

The specification is described as “particularly suited for environments where traditional challenge methods are impractical, such as IoT deployments, multi-tenant platforms, and scenarios requiring batch certificate operations.”

Rollout Timeline

Now: Support available in Pebble, Let’s Encrypt’s miniature test CA software
In progress: lego-cli client implementation for easier experimentation
Late Q1 2026: Staging environment rollout
Q2 2026: Production deployment

The Bigger Picture

DNS-PERSIST-01 arrives at a pivotal moment. Let’s Encrypt is on a path to reduce certificate validity periods from 90 days to 45 days by 2028, with an intermediate step to 64 days in early 2027. As renewals become more frequent, the case for eliminating recurring DNS updates grows stronger.

For organizations managing dozens or hundreds of domains, the ability to configure domain authorization once and let automation handle the rest — without ever handing out DNS API credentials again — is a meaningful operational and security improvement.

More details are available at the official Let’s Encrypt announcement.

Let's Encrypt Announces Persistent DNS Validation — No More Recurring DNS Updates