Moving Beyond Manual DCV to Meet the 10-Day CA/B Forum Standard

The modern enterprise is no longer defined by a static collection of servers, but by a massive and constantly shifting population of machine identities. As organizations move toward microservices, serverless functions, and elastic cloud environments, the number of machines requiring unique identities has exploded. These identities are increasingly ephemeral, with lifetimes measured in days or even hours rather than years. In this high-velocity landscape, DNS has become the primary anchor for machine identity, serving as the global source of truth used to prove domain ownership and secure communication.

Within the realm of Public Key Infrastructure (PKI), trust must be proven frequently. For years, Domain Control Validation (DCV) has been the cornerstone of this proof, ensuring that a Certificate Authority (CA) only issues certificates to the legitimate owners of a domain.

However, the ground rules of DCV are shifting. As certificate lifetimes shrink and compliance requirements tighten, manual validation is no longer just an inconvenience. It is now a critical operational risk. For enterprises managing multiple CAs across different business units, visibility into this process is an absolute necessity for maintaining uptime and compliance.

Today, we are sharing the vision for DCV Visibility within Palo Alto Networks Next-Gen Trust Security and Certificate Manager products. This new functionality is designed to help organizations navigate the complex transition from manual proofs to persistent, automated trust.

What is Domain Control Validation?

To understand our direction, we must look at where we started. Traditionally, if you wanted an SSL/TLS certificate for example.com, you had to prove you controlled it using one of three primary methods:

1. HTTP-01: Placing a specific file on your web server for the CA to fetch.
2. DNS-01: Adding a temporary TXT record to your DNS zone.
3. Legacy Out-of-Band Channels: Validating via Email, Fax, or Phone.

While HTTP and DNS methods can be automated using the ACME protocol, many organizations still perform these updates through manual administrative effort. These legacy approaches worked for a world of one-year certificates, but they were never built for the high-velocity requirements of modern cloud infrastructure and multi-tenant environments.

The Shrinking Window and Why 10 Days Changes Everything

The CA/Browser Forum and major industry players are fundamentally changing the timeline for trust. We are moving from a world where validation data could be reused for nearly a year to a world where it must be refreshed almost constantly.

Critically, we have already entered Phase 1. The 200-day limit is now the active standard.

The bottom line is that by 2029, organizations must revalidate their domains every 10 days. This represents an exponential increase in operational overhead. If your validation process involves manual DNS updates or human-in-the-loop approvals, your certificate renewals will fail and your services face an outage.

Furthermore, legacy validation channels like Email, Fax, and Phone are being phased out per Ballot SC-090. Under this measure, the use of these "weak binding" methods is discouraged as of March 15, 2026, and they will be fully sunset by March 15, 2028. While Ballot SC-094v2 introduces a specific exception for email-based validation where DNSSEC is implemented, the broader industry movement is clear: automated DNS and HTTP validations will be the primary compliant methods moving forward.

Evaluating Options for the Path to 10-Day DCV

As the 10-day revalidation deadline approaches, organizations have been evaluating several strategies to stay compliant. Each approach has distinct trade-offs that impact security posture and operational efficiency.

Option 1: Distributed DNS Automation (The "Skeleton Key" Problem)

Many teams have attempted to solve DCV by distributing DNS API credentials directly to their issuance pipelines.

• Pros: Enables high-frequency, automated DNS-01 challenges.
• Cons: Creates significant security risk. Distributing high-privilege DNS credentials across thousands of endpoints turns those keys into "skeleton keys" that could compromise an entire domain if any single pipeline is breached.

Option 2: HTTP-Based Validation (Infrastructure Exposure and System Limitations)

Some organizations rely on hosting validation tokens on local web servers.

• Pros: Doesn't require DNS credentials for every renewal.
• Cons: Requires opening Port 80 to the public internet and coordinating file placement across diverse, ephemeral server fleets. This creates an unmanageable amount of infrastructure "noise" and potential security holes. Furthermore, this method is simply not an option for many enterprise software or hardware appliances that lack the ability to host custom files or expose required ports to the internet.

Option 3: The Definitive Choice—Persistent DNS (DNS-PERSIST-01)

The industry has recognized that neither of the above options is sustainable at scale. This led to the development of DNS-PERSIST-01, a new standard that trades the requirement for a fresh token with every request for massive operational simplification and hardened security.

Instead of a new DNS record for every single renewal, you provision a one-time standing authorization at _validation-persist.example.com. This record cryptographically binds your domain to a specific CA and a specific ACME account.

Persistent DNS is the only viable path forward for the modern enterprise. It removes the "skeleton key" risk of distributed credentials, eliminates infrastructure exposure on Port 80, and overcomes the inherent technical limitations of enterprise appliances. By removing DNS changes from the critical path of every renewal, it provides the most secure and reliable automated workflow. If your Certificate Authority does not yet support the Persistent DNS challenge, it is imperative that you push for it to be added to their immediate roadmap.

Delivering Unmatched Value with Palo Alto Networks Next-Gen Trust Security and Certificate Manager

Palo Alto Networks is not replacing the automation provided by your CAs. Instead, Certificate Manager provides the governance framework that makes that automation safe for the enterprise. We are delivering more than just features; we are providing the strategic oversight required to maintain business continuity.

• Early Warning System for DCV Incidents: We provide an intelligent monitoring layer that acts as an early warning system. If a DCV challenge fails or an automated process breaks down, Certificate Manager alerts your team immediately. This allows you to take corrective action and resolve incidents before your production issuance pipelines go down, effectively preventing outages before they happen.
• Platformized Visibility and Governance: In a multi-CA environment, critical data is often fragmented across multiple security vendors. Certificate Manager provides unified visibility into your entire DCV and OV (Organization Validation) landscape in a single location. You no longer have to "go hunting" for information across different CA consoles; you have one global source of truth for your entire digital identity footprint.
• Proactive Compliance Oversight: Instantly audit which domains are using traditional DNS-01, HTTP-01, or the modern, automated DNS-PERSIST-01 method. This ensures that your organization remains compliant with evolving CA/B Forum requirements across all hybrid and multi-cloud environments.
• Strategic digital identity management: By managing DCV at scale through a single pane of glass, security teams can maintain consistent governance over wildcard policies and domain usage, turning a complex operational burden into a streamlined, manageable process.

The Strategic Necessity of Independent Oversight

By focusing on visibility, Palo Alto Networks Certificate Manager provides a critical governance layer. We empower Security Teams to oversee the automated work being done by their CA partners. This turns a fragmented infrastructure into a transparent, manageable system.

With features like tracking wildcard policy usage and monitoring the persistence timestamps provided by CAs, we provide the proactive intelligence required to maintain uptime in an era of high-frequency validation.

Looking Ahead to the 2026 Roadmap

The industry is moving fast. Let’s Encrypt has already committed to a staging rollout of DNS-PERSIST-01 in late Q1 2026, with production support following in Q2.

At Palo Alto Networks, we are committed to being your partner in this transition. Palo Alto Networks Certificate Manager ensures that as certificate lifespans continue their rapid descent toward 47 days, your business remains protected, compliant, and online.

Stay tuned for more updates as we approach the official launch of these features. The future of trust is automated, and we are here to help you see it clearly.

© 2026 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.