Understanding persistent DCV and DNS connectors: Simplifying domain validation at scale

The industry shift is accelerating

The TLS industry is undergoing one of its most significant operational transitions in years. CA/Browser Forum mandates are compressing certificate validity periods and tightening domain control validation (DCV) reuse windows. For organizations managing certificates at scale, this is a major concern for the near future.

The move to 47-day certificate lifecycles will fundamentally change how teams think about renewal and validation. What used to be an annual task will become a continuous operational workflow. Organizations relying on manual DNS updates and ad-hoc renewal processes will face mounting strain as these changes take effect.

The pressure is being felt unevenly. Enterprises managing large certificate estates, complex SAN certificates, and wildcard domains are feeling it first. But the operational reality is clear across the board: manual certificate management will not scale to the demands of shorter lifecycles.

Sectigo is helping customers get ahead of this challenge. Through support for Persistent DCV in Sectigo Certificate Manager (SCM), combined with a significantly expanded set of DNS connector integrations, teams can begin building the automation-ready workflows they need before these changes become mandatory. 

What is changing? Understanding the new timeline

The CA/Browser Forum has established a clear trajectory: DCV evidence will expire more frequently, and certificates will need to be renewed on much shorter cycles. For teams currently relying on occasional DNS updates tied to annual renewals, the operational math no longer adds up.

The cumulative effect: teams that handle renewals manually today will be facing the same tasks at five to eight times the frequency. DNS coordination, change management approvals, and per-renewal validation will pile up rapidly, creating both operational drag and real outage risk.

What is persistent DCV?

Persistent DCV is a new approach to DNS-based domain validation that eliminates the need to repeatedly create and update DNS TXT records at each renewal cycle. Instead of provisioning a temporary record for each validation event, an organization publishes a single persistent TXT record once. The CA then performs recurring validation checks against that record automatically, without requiring further DNS intervention. Below are the step-by-step differences:

Traditional DCV:

1. Install DNS connector in your environment
2. Request certificate  
3. Add temporary TXT record  
4. Validate  
5. Remove/update record  
6. Repeat again in 100 or 47 days  

Persistent DCV:

1. Publish persistent TXT record once  
2. CA performs recurring validation checks automatically  
3. Renew certificates continuously without repeated DNS changes  

Why the CA/Browser Forum introduced persistent DCV

The persistent DNS TXT validation method was introduced through SC088, a CA/Browser Forum ballot that Sectigo sponsored. The ballot emerged from direct customer feedback: as certificate renewal frequencies increased, the operational burden of repeated DCV updates was becoming unsustainable for enterprise teams.

Sectigo's sponsorship of SC088 reflects a broader commitment to shaping standards that balance strong security assurances with operational practicality. Persistent DCV does not reduce the rigor of domain ownership verification. It changes when and how that verification is performed, shifting from event-driven checks to continuous, automated validation.

The CA/Browser Forum recognized that shrinking certificate lifetimes require a scalable automation model. Persistent DCV is the industry's answer to that requirement at the validation layer. 

Why persistent DCV matters for enterprise teams

The enterprise context matters here. Large organizations don't manage a handful of certificates. They manage thousands, often across environments owned by different teams, using different DNS providers, governed by change management policies that introduce lead time into every update.

Common challenges teams face today include:

• Large certificate estates spanning multiple environments
• SAN certificates that aggregate multiple domains requiring coordinated validation
• Wildcard certificate complexity and heightened scrutiny under shorter lifecycles
• DNS ownership split across infrastructure, networking, and platform teams
• Change management processes that add days or weeks to DNS updates
• Outage risk when DCV records expire before renewals are completed

Persistent DCV directly addresses each of these pain points:

• Reduced operational overhead: Eliminates the recurring DNS update cycle for established domains
• Lower outage risk: Removes the failure mode of expired DCV records causing failed renewals
• Better scalability: Supports high-volume certificate automation without proportional DNS work
• Stronger automation readiness: Aligns domain validation with 47-day and shorter certificate cycles
• Simplified compliance: Makes continuous validation readiness easier to maintain and demonstrate

Sectigo’s approach: Persistent DCV and DNS connectors in SCM

Sectigo Certificate Manager now supports both Persistent DNS TXT records for ongoing DCV automation and a significantly expanded library of DNS connector integrations. Together, these capabilities address the two main layers of the DNS validation challenge: what method is used, and how the DNS changes are executed.

Persistent DCV in SCM

SCM’s support for persistent DCV enables teams to:

• Publish persistent TXT records for domains under management
• Enable automated recurring validation without additional DNS changes
• Reduce dependency on manual DNS coordination at renewal time
• Align validation workflows with the operational requirements of shorter certificate lifecycles

This is part of Sectigo’s broader Scalable DCV approach: treating domain validation as a coordinated, automated system rather than a one-off task at each renewal event.

Expanded DNS connector support

For situations where DNS changes are still required (including the initial setup of persistent records or managing new domains) SCM’s DNS connectors automate the execution of those changes directly from the platform.

DNS connectors in SCM connect directly to your DNS provider and enable SCM to automatically create and validate DNS TXT record challenges on your behalf. Rather than requiring manual coordination between certificate teams and DNS administrators, the connector handles the DNS interaction programmatically, removing human touchpoints and the delays that come with them.

Sectigo is frequently expanding DNS connector support to cover a broad range of providers, with the most up-to-date coverage listed here.

This breadth of coverage reflects a deliberate effort to reach organizations wherever their DNS infrastructure lives, whether that’s a major cloud provider, a specialized enterprise DNS platform, or a self-hosted environment. The LEGO integration layer extends this further, making SCM’s DNS automation accessible across more than 100 DNS providers through a single connector architecture.

How the two capabilities work together

Persistent DCV and DNS connectors are complementary, not interchangeable. Persistent DCV reduces reliance on DNS changes during the renewal cycle. DNS connectors automate the DNS changes that are still necessary, including publishing the initial persistent record. Together, they give teams two levers for reducing manual DNS work:

• Where persistent records can be used, DNS touchpoints during renewal are eliminated entirely
• Where DNS changes are still needed, connectors automate execution without manual coordination

The net effect is a validation workflow that scales cleanly as certificate volumes and renewal frequencies increase. 

What customers should do now

The window to prepare is open, but it is narrowing. Organizations that begin transitioning now will be better positioned when mandatory timelines arrive. Recommended steps:

• Inventory your certificate estate: Identify public TLS certificates expiring after March 15, 2026, and assess which domains are candidates for persistent DCV.
• Review existing DCV records: Identify sticky or aging DCV records approaching their reuse expiration to avoid renewal failures.
• Prioritize SAN and wildcard domains: These carry the highest coordination overhead and are the most operationally sensitive under compressed timelines.
• Publish persistent TXT records: Begin transitioning established domains to persistent DCV now, before renewal frequency increases require it at scale.
• Adopt automation broadly: Use SCM’s automated recurring validation workflows and lifecycle automation capabilities to reduce manual intervention across the certificate estate. 

Looking ahead: Preparing for 47-day certificates

The transition to 47-day certificate lifecycles will require a fundamentally different operational model. The organizations that will navigate this transition smoothly are those that have already built the automation infrastructure to support it, not those scrambling to catch up when the timelines arrive.

Persistent DCV is a meaningful step in that direction. It eliminates a significant source of manual work from the renewal cycle, reduces a common category of outage risk, and aligns domain validation with the operational rhythms that shorter lifecycles demand. Combined with SCM’s expanded DNS connector library, it gives teams a practical path to automating the last mile of their certificate workflows.

Manual certificate management at machine-paced renewal frequencies is not a viable long-term strategy. The organizations investing in automated, repeatable validation infrastructure now will be best positioned for the operational reality that’s coming. 

Get started

Persistent DCV and DNS connector support are available in Sectigo Certificate Manager today. To learn more or begin your transition:

• Contact your Sectigo representative to discuss your certificate estate and readiness assessment
• Explore persistent DCV configuration in SCM and identify which domains to transition first
• Review available DNS connectors in SCM under Integrations > DNS Connectors to find the right integration for your environment
• Schedule a readiness assessment to build a prioritized automation roadmap before shorter lifecycle mandates take effect

Persistent DCV helps organizations simplify domain validation while preparing for the industry’s transition to dramatically shorter certificate lifecycles. By reducing repetitive DNS updates and enabling continuous validation readiness, Sectigo Certificate Manager helps enterprises modernize certificate operations before these changes become mandatory.