On November 8, 2025, the CA/Browser Forum formally incorporated a new domain control validation (DCV) method using DNS into the Server Certificate Baseline Requirements. The update makes certificate automation more secure and easier to implement by reducing the need for DNS write privileges and clarifying how organisations can demonstrate domain control.

It’s a small procedural change with a large practical impact, simplifying how organisations demonstrate domain ownership and maintain trust as they move toward fully automated certificate lifecycles.

What’s new in domain control validation

Under the new DNS-based DCV method, a certificate authority (CA) customer places a TXT record in the authoritative DNS for the domain identified in the certificate request. The record name identifies the domain, while the value identifies the CA, a unique customer account identifier (as defined in RFC 8657), and an optional expiration date.

Example from the CA/Browser Forum:

_validation-persist.example.com IN TXT "authority.example;
accounturi=https://authority.example/acct/123; persistUntil=1782424856"

In this example:

• example.com is the customer domain;
• authority.example is the CA domain;
• accounturi is the account identifier;
• and persistUntil specifies when the record’s authority expires.

How it improves on existing DNS-01 validation

The previous ACME DNS-based validation method (DNS-01) required customers to have write access to DNS and to periodically create or update validation records. The new method, dubbed DNS-PERSIST-01, allows a DNS record to be created once for a specific domain/CA pairing.

This eliminates the need for ongoing DNS write access, making it easier for DNS administrators to support automated certificate management while reducing operational complexity and risk. It’s especially beneficial for organizations pursuing large-scale certificate automation.

Supporting automation and stronger DNS security

By minimizing the need for DNS write privileges, DNS-PERSIST-01 reduces potential attack surfaces and strengthens overall DNS security. It also simplifies how organizations can automate domain validation, removing a major operational barrier to continuous certificate management.

The new method helps align certificate practices with the industry’s broader push toward secure automation, offering a more resilient, low-maintenance foundation for managing digital certificates at scale.

Industry adoption and next steps

The proposal, formally titled “DNS TXT Record with Persistent Value DCV Method,” was approved by the CA/Browser Forum’s Server Certificate Working Group on October 8 and has now completed its intellectual property review. As of November 8, the method is officially incorporated into the Server Certificate Baseline Requirements, allowing certificate authorities to use the DNS-PERSIST-01 method for domain control validation.

A related proposal has been submitted to the IETF ACME Working Group to add the same persistent DNS validation approach to the ACME specification. That process is just beginning and is expected to take a year or more to complete.

In parallel, updates to the Chrome Root Program policy (version 1.8)—which continues to emphasize secure automation—are currently out for public comment and are expected to take effect in February 2026.

Together, these efforts reflect continued progress toward a fully automated, standards-aligned certificate ecosystem.

Advancing automation in certificate management

Persistent DNS validation is one piece of a broader industry movement toward streamlined, secure certificate management. DigiCert continues to support automation through ACME, robust API integrations, and managed PKI solutions that make it easier for organizations to deploy, renew, and protect certificates at scale.

Explore DigiCert’s automation solutions to learn how to enable trusted, policy-aligned certificate management across your enterprise.