๐Ÿ”’

How Does DNS-PERSIST-01 Work?

Eliminating Repeated Validation with Let's Encrypt's Persistent DNS Auth Records

The traditional DNS-01 challenge required creating a new _acme-challenge. TXT record every time a certificate was issued or renewed. This meant providing DNS API credentials to the ACME client, and DNS propagation delay was also problematic. DNS-PERSIST-01 sets the CA URI and ACME account URI in a _validation-persist.example.com TXT record just once, and the CA checks this record for domain ownership verification on subsequent certificate issuance/renewal. DNS changes are completely removed from the issuance path, enabling automatic renewal without DNS API credential exposure.

Architecture Diagram

Traditional DNS-01 Method (repeated every time)
๐Ÿ–ฅ๏ธ
ACME Client
Token request
๐Ÿ›๏ธ
Let's Encrypt
TXT verification
๐ŸŒ
DNS Server
_acme-challenge.
Must change every time!
VS
DNS-PERSIST-01 Method (set once, reuse forever)
๐Ÿ–ฅ๏ธ
ACME Client
certbot etc.
Issue request No DNS changes!
๐Ÿ›๏ธ
Let's Encrypt CA
Account URI matching
TXT lookup
๐ŸŒ
DNS Server
_validation-persist.
Set once OK
Key: Set CA + account URI in the <strong>_validation-persist.</strong> TXT record once,<br>and subsequent issuance/renewal completes <strong>without DNS API calls</strong>
# TXT Record Example
_validation-persist.example.com. TXT
  "acme-challenge=persist;
   ca=https://acme-v02.api.letsencrypt.org/directory;
   account=https://acme-v02.api.letsencrypt.org/acct/12345;
   policy=wildcard;
   persistUntil=2027-01-01T00:00:00Z"
Key Options
ca ACME directory URL of allowed CA (multiple CAs supported)
account ACME account URI allowed to issue certificates
policy wildcard: includes subdomains, exact: this domain only
persistUntil Validity period of this auth record (must reset after expiry)

How It Works

1

Traditional DNS-01: issuance request โ†’ CA issues random token โ†’ create _acme-challenge. TXT record โ†’ wait for DNS propagation โ†’ verification

2

Set CA URI + ACME account URI in _validation-persist.example.com TXT record (once only)

3

ACME client requests certificate issuance from Let's Encrypt

4

Let's Encrypt queries _validation-persist. TXT record โ†’ verifies account match

5

Domain ownership verified โ†’ certificate issued (no DNS changes)

6

Same record reused on renewal โ†’ no DNS API calls needed

Pros

  • No DNS changes needed for certificate issuance/renewal
  • Reduced risk of DNS API credential exposure
  • Applicable to wildcard certificates
  • Control auth expiry timing with persistUntil
  • Multiple CAs can be authorized simultaneously

Cons

  • ACME account key protection becomes more critical (key leak = unauthorized issuance)
  • Let's Encrypt support planned for after Q2 2026 (still waiting)
  • DNS spoofing risk exists as DNSSEC is not mandatory
  • Persistent auth means immediate record removal needed on key compromise

Use Cases

Mass certificate deployment for IoT devices Multi-tenant SaaS platforms (customer domain certificates) Automated mass certificate issuance/renewal LAN internal server certificates (environments without DNS API access) Homelab/self-hosting automation

Related

๐Ÿช
Webhook
HTTP Callback on Event Trigger
๐Ÿ–ฅ๏ธ How Does tmux Work? ๐ŸŒ How Does DNS Domain Configuration Propagate?