Let's Encrypt can only offer challanges that are allowed in the CA/Browser Baseline Requirements. Has there been a ballot that voted for dns-account-01 and did it pass?
I didn't see any comparison of dns-persist with dns-account in that blog.
Wouldn't dns-persist give the multi-provider situation the same benefit? Instead of using a unique CNAME they have their own dns-persist record. In both cases these are tied to ACME account ID so there is no difference there.
With dns-persist there is no need to dynamically add/delete TXT records so the need to redirect requests to a DNS system the provider can modify isn't needed.
For example
_validation-persist.example.com. IN TXT (
"letsencrypt.org;"
" accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/(Fastly_ID)"
)
_validation-persist.example.com. IN TXT (
"letsencrypt.org;"
" accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/(SERVICE2_ID)"
)
The controller of the persist DNS records can further set expiration periods. That could align with contract terms, for example.
The dns-account-01 validation method is allowed in the BRs per Ballot SC-084 "DNS Labeled with ACME Account ID Validation Method". It is also implemented in Boulder, thanks to contributions from our friends at Certainly.
You're correct that dns-persist-01 largely obviates the need for dns-account-01, as both methods allow records for multiple ACME providers to coexist.
We have not made any public statements about whether or when we plan to enable dns-account-01 validation.
