TL;DR: A new DNS-based domain control validation method lets certificate authorities verify ownership with a persistent TXT record instead of recurring DNS write access, reducing operational friction and attack surface, according to DigiCert and the CA/Browser Forum. The shift matters because certificate automation now depends less on standing DNS privileges and more on tightly scoped, auditable domain control.
NHIMG editorial — based on content published by DigiCert: A new DNS validation method for simplified certificate automation
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes - and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams implement DNS-based certificate validation without broad DNS write access?
A: Use a validation model that separates proof of domain control from recurring DNS updates.
Q: Why does persistent DNS validation reduce certificate automation risk?
A: It reduces risk because recurring DNS write access is a high-value privilege that can be abused if exposed or misconfigured.
Q: What breaks when certificate validation depends on repeated DNS changes?
A: Teams end up coupling certificate issuance to a sensitive administrative channel that was never meant to be continuously exposed.
Practitioner guidance
- Re-map DNS write privileges Identify every team, account, and automation path that still has DNS edit rights for certificate validation, then remove standing access where a persistent TXT record now covers the control requirement.
- Separate validation evidence from renewal operations Document the persistent TXT record as the proof-of-control artefact and keep renewal workflows from inheriting DNS mutation rights they no longer need.
- Review certificate lifecycle ownership Assign clear ownership for creating, expiring, and auditing validation records so certificate automation does not become an unmanaged machine identity process.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The exact DNS-TXT record structure used for persistent validation, including the domain, CA identifier, account identifier, and expiry marker.
- The ACME and Server Certificate Baseline Requirements context that explains where the method fits in certificate automation.
- The implementation rationale for DNS administrators who need to support automated certificate management with less recurring write access.
- The standards-process timeline showing how the proposal moves from baseline requirements into broader ACME specification work.
👉 Read DigiCert's explanation of persistent DNS validation for certificate automation →
DNS-PERSIST-01 and certificate automation: what should teams change?
Explore further
Persistent DNS validation is a privilege-scope change, not just a convenience feature. The core governance shift is that certificate validation no longer needs recurring DNS write access for every renewal cycle. That matters because standing access is what usually creates long-lived operational risk in machine identity programmes. Practitioners should read this as a reduction in trust surface, not merely a cleaner workflow.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Which framework is most relevant for governing DNS-backed certificate automation?
A: NIST Cybersecurity Framework 2.0 is useful because it gives teams a structured way to govern access, protect validation assets, and monitor certificate-related changes. For machine identity programmes, the practical test is whether DNS control is minimised, logged, and tied to a clear ownership model.
👉 Read our full editorial: Persistent DNS validation changes certificate automation governance