DNS-PERSIST-01 and certificate automation: what should teams change?

TL;DR: A new DNS-based domain control validation method lets certificate authorities verify ownership with a persistent TXT record instead of recurring DNS write access, reducing operational friction and attack surface, according to DigiCert and the CA/Browser Forum. The shift matters because certificate automation now depends less on standing DNS privileges and more on tightly scoped, auditable domain control.

NHIMG editorial — based on content published by DigiCert: A new DNS validation method for simplified certificate automation

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes - and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams implement DNS-based certificate validation without broad DNS write access?

A: Use a validation model that separates proof of domain control from recurring DNS updates.

Q: Why does persistent DNS validation reduce certificate automation risk?

A: It reduces risk because recurring DNS write access is a high-value privilege that can be abused if exposed or misconfigured.

Q: What breaks when certificate validation depends on repeated DNS changes?

A: Teams end up coupling certificate issuance to a sensitive administrative channel that was never meant to be continuously exposed.

Practitioner guidance

• Re-map DNS write privileges Identify every team, account, and automation path that still has DNS edit rights for certificate validation, then remove standing access where a persistent TXT record now covers the control requirement.
• Separate validation evidence from renewal operations Document the persistent TXT record as the proof-of-control artefact and keep renewal workflows from inheriting DNS mutation rights they no longer need.
• Review certificate lifecycle ownership Assign clear ownership for creating, expiring, and auditing validation records so certificate automation does not become an unmanaged machine identity process.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• The exact DNS-TXT record structure used for persistent validation, including the domain, CA identifier, account identifier, and expiry marker.
• The ACME and Server Certificate Baseline Requirements context that explains where the method fits in certificate automation.
• The implementation rationale for DNS administrators who need to support automated certificate management with less recurring write access.
• The standards-process timeline showing how the proposal moves from baseline requirements into broader ACME specification work.

👉 Read DigiCert's explanation of persistent DNS validation for certificate automation →

DNS-PERSIST-01 and certificate automation: what should teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →