Let’s Encrypt Introduces DNS‑PERSIST‑01: A Persistent DNS‑Based ACME Challenge

DNS‑PERSIST‑01 is Let’s Encrypt’s new ACME challenge that replaces per‑certificate DNS updates with a single, persistent DNS‑based authorization record tied to an ACME account, dramatically simplifying TLS automation for wildcard and multi‑tenant environments.

Introduction: A New Chapter in TLS Automation

On February 18 2026, Let’s Encrypt announced the upcoming support for DNS‑PERSIST‑01, a groundbreaking ACME challenge that addresses the operational pain points of the classic DNS‑01 flow. For DevOps engineers, security professionals, and web‑hosting providers who manage large numbers of domains, the new challenge promises to cut down on DNS propagation latency, reduce credential sprawl, and enable truly batch‑oriented certificate issuance.

Overview of DNS‑PERSIST‑01

Why Let’s Encrypt Introduced a New Challenge

The traditional DNS‑01 challenge requires a fresh TXT record for every certificate request. While reliable, this model forces operators to:

• Maintain API credentials for every DNS provider in the issuance pipeline.
• Wait for DNS propagation on each renewal, which can add minutes to the automation loop.
• Rotate credentials regularly to mitigate exposure risk.

These constraints become especially burdensome in IoT deployments, multi‑tenant SaaS platforms, and large‑scale wildcard certificate scenarios. DNS‑PERSIST‑01 replaces the per‑request token with a persistent authorization record that lives in DNS indefinitely (or until an optional expiration). The record binds a specific ACME account to a domain, allowing any future issuance to reuse the same proof of control.

Key Specification Highlights

The IETF draft that underpins DNS‑PERSIST‑01 defines a TXT record format similar to:

_validation-persist.example.com. IN TXT "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234567890"

Optional parameters such as policy=wildcard and persistUntil= timestamps give operators fine‑grained control over scope and lifetime.

How DNS‑PERSIST‑01 Works

Step‑by‑Step Workflow

1. Initial Setup: The domain owner creates a single TXT record at _validation-persist.<domain> containing the CA identifier and the ACME account URI.
2. Certificate Request: When an ACME client requests a new certificate, it includes the same account URI in the request.
3. Validation Query: Let’s Encrypt queries the persistent TXT record. If the record matches the requesting account, validation succeeds instantly—no new DNS changes are required.
4. Renewal & Re‑issuance: Subsequent renewals reuse the same record, eliminating propagation delays.

Comparison with DNS‑01

Security Considerations

Credential Exposure vs. Account Key Protection

With DNS‑01, the most sensitive asset is the DNS provider’s API key, which must be stored wherever the ACME client runs. DNS‑PERSIST‑01 shifts the trust boundary: the DNS record is static, so the API key can be confined to a single, well‑secured provisioning step. However, the ACME account private key becomes the new “crown jewel.” If an attacker compromises that key, they can issue certificates for any domain covered by the persistent record.

Scope Controls and Expiration

Operators can limit the impact of a compromised account by:

• Using the policy=wildcard flag only when truly needed.
• Setting a persistUntil timestamp to force periodic re‑validation.
• Deploying monitoring that alerts when the persistent TXT record is altered.

Multi‑CA Environments

The draft permits multiple CAs to coexist by publishing separate TXT records for each issuer. This flexibility is useful for organizations that run private PKI alongside Let’s Encrypt, ensuring that each CA validates only its own records.

Benefits and Use Cases

Adopting DNS‑PERSIST‑01 unlocks tangible advantages across several scenarios:

• Large‑scale SaaS platforms: Reduce the number of DNS API calls from thousands per day to a single provisioning event per domain.
• IoT device fleets: Devices that cannot reach public DNS resolvers can still obtain certificates via a pre‑authorized persistent record.
• Multi‑tenant hosting providers: Isolate tenant credentials while still offering automated wildcard certificates.
• Continuous Integration / Continuous Deployment (CI/CD) pipelines: Eliminate flaky builds caused by DNS propagation latency.

These benefits align perfectly with the capabilities of the UBOS platform overview, which provides a unified environment for building, deploying, and automating AI‑enhanced services.

Deployment Timeline

Standardization Milestones

The CA/Browser Forum ballot SC‑088v3, defining “3.2.2.4.22 DNS TXT Record with Persistent Value,” passed unanimously in October 2025. The IETF ACME working group adopted the draft shortly thereafter, cementing the technical foundation for production use.

Early Adoption and Staging

Let’s Encrypt has already integrated the draft into Pebble, a lightweight test CA. Community‑maintained clients such as lego are adding native support, making it easy for developers to experiment.

Production Rollout

According to the official roadmap, a staging rollout is slated for late Q1 2026, with full production availability expected in Q2 2026. Early adopters can begin testing today by configuring the persistent TXT record and using a compatible client in Let’s Encrypt’s staging environment.

Integrating DNS‑PERSIST‑01 with UBOS Solutions

UBOS offers a suite of tools that can accelerate the adoption of DNS‑PERSIST‑01 across your organization:

• Workflow automation studio lets you script the one‑time creation of the persistent TXT record and tie it to your CI/CD pipelines.
• The Web app editor on UBOS can generate custom dashboards that display the status of your persistent records in real time.
• For teams focused on content marketing, the AI marketing agents can automatically generate documentation and alerts whenever a persistUntil timestamp approaches expiration.
• Pricing is transparent and scalable; see the UBOS pricing plans to match your organization’s size.

Start‑ups can quickly prototype with UBOS for startups, while SMBs benefit from UBOS solutions for SMBs. Enterprises looking for a broader AI strategy can explore the Enterprise AI platform by UBOS, which includes native integrations for DNS management and ACME automation.

Real‑World Templates to Accelerate Adoption

UBOS’s Template Marketplace already hosts several ready‑made applications that can be combined with DNS‑PERSIST‑01:

• AI SEO Analyzer – automatically verify that your TLS certificates are correctly deployed across all crawled domains.
• AI Article Copywriter – generate documentation for your new certificate workflow.
• AI Video Generator – create quick onboarding videos for ops teams.
• GPT-Powered Telegram Bot (listed as GPT-Powered Telegram Bot) – receive real‑time alerts on persistent record changes via the Telegram integration on UBOS.

Conclusion & Call to Action

DNS‑PERSIST‑01 represents a paradigm shift in TLS automation. By moving from per‑request DNS updates to a single, durable authorization record, it reduces operational overhead, tightens security around credential distribution, and opens the door for large‑scale, batch‑oriented certificate issuance.

If you’re a DevOps engineer or security professional looking to future‑proof your certificate management pipeline, now is the time to experiment with the new challenge in Let’s Encrypt’s staging environment. Leverage UBOS’s UBOS homepage to spin up a sandbox, use the Workflow automation studio to script the initial TXT record creation, and monitor compliance with the AI marketing agents. When the production rollout arrives in Q2 2026, you’ll be ready to reap the efficiency gains without a single DNS propagation delay.

Ready to get started? Explore the UBOS portfolio examples for inspiration, and contact our team through the About UBOS page to discuss a tailored implementation plan.