Keeping Domain Control Validation (DCV) Records in Place for Repeat Issuance
Marcus KennedyShare
Most administrators treat the Domain Control Validation (DCV) record as scaffolding, published for issuance and deleted the moment the SSL Certificate arrives. That habit made sense when an SSL Certificate lasted years. With maximum validity now stepping down to 200 days, then 100 days in 2027, then 47 days from 2029 under CA/Browser Forum rules, the habit ages badly.
Every issuance becomes a fresh manual task, and the smarter practice is the opposite one.
The Case for Permanent Records
Validation approvals are reusable for a limited window, currently reducing to 198 days in step with the validity changes, after which the domain must be validated again. Every reissue or new issuance past that window repeats the check. Learn About DCV Reuse Periods 🔗
A Domain Name System (DNS) based validation record left permanently in place answers each repeat check the moment it runs, with no human involved. The validation effectively maintains itself, which is exactly the property automation depends on as the issuance cycle tightens.
Records Safe to Leave Published
The CNAME method suits permanence best, since the published record points at a target derived from your order and controlled through the issuance process, and it contains nothing sensitive. The record asserts only that the domain owner authorized validation, which is precisely what it should keep asserting.
The same logic covers validation TXT records. HTTP file based validation sits apart, since files served from the website invite cleanup and the method cannot serve Wildcard SSL Certificate orders at all, which is one more reason DNS based methods win for anything long-lived.
Note : Permanent means current, not accumulated. Records from superseded orders should still be removed, because a stale CNAME at the same label blocks the current one at many DNS providers. The practice is one maintained record per validated name, kept accurate.
The record itself is only one piece of a working setup.
Keeping the Zone Healthy Around Them
A permanent record only helps when the checks can actually reach it. Validation lookups arrive from multiple worldwide perspectives, and Certification Authority Authorization (CAA) records are evaluated on every single issuance, so the zone itself needs globally reachable name servers and CAA entries that permit issuance. Learn About CAA Records 🔗
When a repeat issuance stalls despite a record that has worked before, the diagnosis follows the same paths as a first-time failure. Learn About Troubleshooting CNAME Validation 🔗
Where This Leads
Permanent validation records are half of the answer to shortening validity, and automation is the other half. With the record answering validation and the ACME protocol handling issuance and installation, the entire cycle runs without attention, at 200 days or at 47.
These industry changes come from the CA/Browser Forum and apply to every provider equally, so the question is not whether to adapt but how early. Trustico® provides Certificate as a Service (CaaS) as the complete automated answer. Learn About Certificate as a Service (CaaS) 🔗
