Let's Encrypt is rolling out DNS-PERSIST-01, a new ACME challenge type that replaces repeated DNS validation with persistent authorization records. The system uses TXT records at `_validation-persist.<DOMAIN>` to bind certificate issuance permissions to specific ACME accounts and CAs, eliminating the need for recurring DNS updates during renewals.

Unlike DNS-01, which requires publishing new challenge tokens for each certificate request, DNS-PERSIST-01 creates a standing authorization that remains valid indefinitely. This approach particularly benefits IoT deployments, multi-tenant platforms, and batch certificate operations where traditional validation methods prove impractical. The specification, based on IETF draft standards, passed CA/Browser Forum ballot SC-088v3 unanimously in October 2025.

The implementation includes wildcard certificate support and optional expiration parameters. Multiple CAs can be authorized simultaneously by publishing separate TXT records. While staging rollout is planned for late Q1 2026 with production deployment in Q2 2026, the core mechanisms are unlikely to change substantially. The trade-off shifts security focus from protecting distributed DNS credentials to safeguarding the ACME account key.