> The key advantage of [DNS-PERSIST-01] is that the DNS TXT entry used to demonstrate control does not have to change every renewal.

> We expect DNS-PERSIST-01 to be available in 2026

Very exciting!

https://datatracker.ietf.org/doc/html/draft-sheurich-acme-dn...

I'm all for it -- it's hard to understate the extent to which LetsEncrypt has improved the WebPKI situation. Although the effective single-vendor situation isn't great, the "this is just something you only do via an automated API" approach is absolutely the right one. And certificate lifetimes measured in days work just fine with that.

The only things that continue to amaze me are the number of (mostly "enterprise") software products that simply won't get with the times (or get it wrong, like renewing the cert, but continuing to use the old one until something is manually restarted), and the countless IT departments that still don't support any kind of API for their internal domains...

The year is 2055, certificate lifetimes are measured in picoseconds. The Authority is still not pleased with your automation.

"This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow."

I dont follow. Why? Why not an hour? A ssl failure is a very effective way to shut down a site.

"you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide."

Oh that sounds wonderful.