DNS-PERSIST-01: A New ACME Challenge for Persistent Domain Validation

The introduction of the DNS-PERSIST-01 challenge type marks a significant development in the Automatic Certificate Management Environment (ACME) protocol. This new method allows domain owners to validate control over a domain once by creating a persistent TXT record, which then authorizes a specific Certificate Authority (CA) and ACME account to issue certificates indefinitely. According to Aaron Gable of Let’s Encrypt, this approach technically satisfies the "random value" requirement through the account URI, which remains constant but is cryptographically bound to the ACME account's key pair. The CA/Browser Forum has approved this mechanism via ballot SC-088v3 in October 2025, with Let’s Encrypt planning to implement it in 2026. The primary technical implication is the reduction in operational overhead for certificate renewal, as it eliminates the need to repeatedly create and remove TXT records. However, this convenience comes with heightened security considerations. The persistent nature of the TXT record means that if the ACME account's private key is compromised, an attacker could potentially obtain certificates for the domain indefinitely until the TXT record is removed or the account is revoked. Therefore, organizations must ensure robust protection of their ACME account keys and establish rapid response procedures for key compromise scenarios. This development underscores the ongoing evolution of certificate management practices, balancing efficiency with security in the ever-changing cybersecurity landscape.