DNS Posts

Domain Naming System posts: If something on the web is broken, it's probably DNS.

You probably don't need private PKI for internal infrastructure

May 2026 • Todd H. Gardner
Most teams assume internal infrastructure needs a private CA. It doesn’t - and skipping it saves you from a maintenance burden that never fully works anyway.

Read more >>
Delegated DNS validation: proving domain ownership without exposing credentials

January 2026 • Todd H. Gardner
Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There’s a better approach: CNAME delegation lets you authorize a service once without handing over the keys to your entire zone.

Read more >>
DNS-PERSIST-01 validates a domain once to get certificates forever

January 2026 • Todd H. Gardner • 2 comments
A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.

Read more >>
Do you still need wildcard certificates?

December 2025 • Todd H. Gardner
You’ve been using wildcard certificates for years because they were simpler. One cert, one renewal, copy it everywhere. But now you’re automating anyway. If certificate management is no longer painful, do you still need wildcards? Or are they solving a problem that no longer exists?

Read more >>