February 18, 2026
TXT me maybe?
DNS-Persist-01: A New Model for DNS-Based Challenge Validation
Set-and-forget web safety? Fans cheer, critics worry about exposed account IDs
TLDR: Let’s Encrypt’s DNS‑PERSIST‑01 lets you post one permanent DNS record to approve future certificates, cutting renewal hassles. Commenters are split between relief at simpler ops and worrying that exposing the account identity is messy, with calls for crypto‑based designs or full DNSSEC/DANE dreams.
Let’s Encrypt just dropped a new way to prove you own your site: DNS‑PERSIST‑01. Instead of adding a fresh code to your domain’s settings every time you renew, you post one standing “permission slip” (a TXT record) tied to your account and the certificate authority. Translation for non‑tech folks: fewer fiddly updates, less waiting, more chill. The crowd went loud. Some cheered the end of “DNS delay drama” and automation headaches, calling it a legit fix for big fleets and gadgets that aren’t always online. Others? Side‑eye.
TrueDuality loves the relief but warns that your account identity is now visible in DNS—“usernames matter,” they say. mmh0000 brings the meme energy: “I really like and hate this at the same time,” celebrating no more fubar scripts while roasting the choice to put the account in plain text. Meanwhile, cyberax is already dreaming in neon: “Next stop, True DANE,” a future where browsers verify certificates directly if DNS is locked down with DNSSEC. The crypto purists, like micw, want a cleaner design using public/private keys instead of an account string. And the pragmatists ask, “Do I have to change my renewal command?” The vibe: you’ll likely add a one‑time DNS record, then set it and forget it—but guard your ACME account key like it’s your crown jewels. More details will land on Let’s Encrypt as tooling catches up.
Key Points
- •Let’s Encrypt is implementing support for DNS-PERSIST-01, a new ACME challenge based on an IETF draft.
- •DNS-PERSIST-01 uses a persistent DNS TXT record tied to a specific ACME account and CA, avoiding per-issuance DNS updates.
- •The method aims to reduce propagation delays and limit distribution of DNS API credentials across issuance pipelines.
- •Scope controls include default FQDN-only authorization, an optional policy=wildcard for wildcard and subdomain coverage, and an optional persistUntil expiration.
- •Security tradeoff shifts from protecting widespread DNS write access (DNS-01) to primarily protecting the ACME account key (DNS-PERSIST-01).