I am looking forward to finally using DNS-PERSIST-01 for validation. No more dynamic DNS updates, DNS credentials or forwarding necessary.

Sadly most tools still doesn't support it: https://github.com/cert-manager/cert-manager/issues/8373#iss...

And then the issue is protecting the private key of the issuer and monitoring certificates (it's a good idea to do that anyway).