Add DNS-PERSIST-01 challenge support

- Add dns-persist-01 to allowed challenge types in verify_config() - Implement dns-persist-01 case in challenge preparation (no dynamic token) - Skip deployment and cleanup for dns-persist-01 - Update help text and documentation - Add man page and README updates - Update CHANGELOG
2026-05-08 16:13:35 +02:00 · 2026-03-29 07:17:22 +00:00
parent c63d1cb528
commit cfd637d769
5 changed files with 69 additions and 33 deletions
--- a/docs/dns-verification.md
+++ b/docs/dns-verification.md
@@ -29,3 +29,24 @@ Or when you do have a DNS API, pass the details accordingly to achieve the same
 You can delete the TXT record when called with operation `clean_challenge`, when $2 is also the domain name.

 Here are some examples: [Examples for DNS-01 hooks](https://github.com/dehydrated-io/dehydrated/wiki)
+
+### dns-persist-01 challenge
+
+This script also supports the `dns-persist-01`-type verification. This type of verification requires you to create a persistent `TXT` DNS record containing your Let's Encrypt account information.
+
+Unlike `dns-01`, which requires dynamic DNS record updates for each certificate request, `dns-persist-01` uses a single persistent record that remains in place indefinitely.
+
+You need to create a TXT record named `_validation-persist` in the domain for which you want to request certificates. The record should contain your account URI and other metadata.
+
+Example record:
+```
+_validation-persist.example.com. IN TXT (
+  "letsencrypt.org;"
+  " accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234567890;"
+  " policy=wildcard"
+)
+```
+
+The account URI can be obtained by running `dehydrated --register --accept-terms` and checking the account registration response, or by examining the `accounts/*/registration.json` file after registration.
+
+This record should be set up once and left in place. No hook script is required for `dns-persist-01` as dehydrated does not perform any dynamic DNS updates for this challenge type.
--- a/docs/man/dehydrated.1
+++ b/docs/man/dehydrated.1
@@ -26,7 +26,7 @@ single certificate valid for both "example.net" and "example.com" through the \f
 Alternative Name\fR (SAN) field.

 For the next step, one way of verifying domain name ownership needs to be
-configured.  Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification.
+configured.  Dehydrated implements \fIhttp-01\fR, \fIdns-01\fR, and \fIdns-persist-01\fR verification.

 The \fIhttp-01\fR verification provides proof of ownership by providing a
 challenge token. In order to do that, the directory referenced in the
@@ -44,6 +44,12 @@ the software or the DNS provider at hand, there are many third party hooks
 available for dehydrated.  See \fIdns-verification.md\fR for hooks for popular
 DNS servers and DNS hosters.

+The \fIdns-persist-01\fR verification works by providing a persistent DNS record
+containing account information. Unlike \fIdns-01\fR, this requires setting up a
+static TXT record once that remains in place indefinitely. No dynamic DNS
+updates are performed during certificate requests. See \fIdns-verification.md\fR
+for details on setting up the required DNS record.
+
 Finally, the certificates need to be requested and updated on a regular basis.
 This can happen through a cron job or a timer. Initially, you may enforce this
 by invoking \fIdehydrated -c\fR manually.