18views
Let’s Encrypt has introduced support for a new ACME challenge type called DNS-PERSIST-01, designed to simplify certificate issuance and renewal through a persistent DNS-based authorization model.
This new mechanism, based on an IETF draft, serves as an alternative to the widely used DNS-01 challenge. DNS-01 remains fully supported, but DNS-PERSIST-01 changes how domain ownership is verified during the validation process.
With DNS-01, each certificate issuance or renewal requires you to create a new TXT record under _acme-challenge.<domain>. Your ACME client places a one-time token provided by the certificate authority (CA), which the CA then verifies via DNS lookup. While this ensures fresh proof of domain control every time, it also means repeatedly updating DNS records and waiting for propagation.
DNS-PERSIST-01 takes a different approach. Instead of generating a new token for every request, you create a permanent TXT record at _validation-persist.<domain>. This record authorizes a specific ACME account and CA to issue certificates for your domain on an ongoing basis.
Typically, the TXT record includes the CA’s issuer domain and the ACME account URI. Once published, it can be reused for future certificate requests and renewals, eliminating the need to modify DNS records each time.
Another advantage is flexible authorization scope. By default, the authorization applies only to the validated domain and remains valid indefinitely. However, adding a policy=wildcard parameter allows you to request wildcard certificates (such as *.example.com), covering all matching subdomains.
You can also define how long the authorization should remain valid by including an optional persistUntil parameter. This timestamp specifies the expiration date for the authorization. Once it passes, you’ll need to update or replace the record, so it’s important to monitor it to avoid unintended interruptions.
Finally, DNS-PERSIST-01 supports authorizing multiple certificate authorities simultaneously. This is done by publishing multiple TXT records at the same _validation-persist.<domain> label, each containing a different CA’s issuer domain. During validation, each CA checks only the records relevant to its own identifier.
For full technical details, refer to the official announcement.
add a comment
What’s Up Docker 8.2 enables digest watching by default and adds support for TrueForge and Codeberg registries.
What's Up Docker (WUD), the self-hosted automation tool that keeps Docker containers updated, has released version 8.2 with expanded registry...
ProtonUp-Qt v2.15 Adds dwproton and Fixes Lutris Wine-GE Directory
ProtonUp-Qt, the open-source graphical tool that simplifies installing and updating Proton-GE and other Wine-based compatibility layers, has released version 2.15....
Open-Source Community Launches MinIO Fork
After months of controversy that many felt contradicted the spirit of open source, MinIO has effectively reached the end of...
KDE Plasma 6.7 to Add Desktop Switching in Overview
Following the recent release of KDE Plasma 6.6, KDE developers have shifted their focus to version 6.7, introducing a range...
