Azure Front Door Validation TXT - stops being checked
This happens frequently when a client delays in updating the TXT record.
We send them the DNS settings, including the TXT _dnsauth.yourdomain.com which is required to validate the domain.
Often this expires and we have to generate a new one.
But if not expired, the client makes the update and the record remains as "pending" indefinitely. I have to log a ticket with support to get them to fix it.
Is there a timer that this goes on? This is a major issue as we want to use this service regularly, e.g. daily.
Azure Front Door
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-05-10T13:55:25.48+00:00 Hello @Brett Andrew ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
If I understand correctly, you are facing issues with the TXT record expiring when adding custom domain to Azure Front Door, is that correct?
You've mentioned that you want to use this service daily. Could you please clarify if you add custom domains to your Azure Front Door daily?
Also, could you please confirm if the domain validation state is getting stuck in pending state every time?
Regards, Gita
-
Brett Andrew 20 Reputation points
2023-05-10T22:56:22.8166667+00:00 The issue of a TXT record for validation expiring is the first issue, the bigger the company the longer the delay in having DNS settings changed, but even small companies can take a long time as they do not know what or how to do this.
The second issue is the long delay (up to 2 hours+) of the TXT record being validated if the client takes longer than an hour to action the request. The symptom is that the TXT record is there and we can test and see that, but Azure Front Door (Standard) has the domain as "Pending" and this is where the bigger issue rises:
We are at the mercy of some backoffice batch job or manual task at Azure to validate the domain, so when a new client switches their live website (some with 1 million views per month) and they get the dreaded "<h2> Our services aren't available right now..." message and we cannot give them a reasonable estimate as to when the TXT record will be validated.
We are forced to log a ticket within Azure, after several hours the domain is validated and the SSL certificate is generated, I honestly do not know at this point if it is only being validated because we raised the ticket or if there is a batch job running behind the scenes, if you could clarify for others that would be great.
All other services similar to this within Azure such as validating domains for App Services seem to be able to allow us to validate it live, where the Azure Standard TXT validation is a risk/unknown process.
A solution would be an icon or a button that says "check validation now" would be ideal, we know the TXT record has propagated globally (using 3rd party tools), so we know it should work. If not we know there is a configuration error.
We have clients go live daily and we will automate this via APIs at some point, but first want to get the process right. Is there a better way we can have this domain validated so we don't hit this issue every time?
-
Brett Andrew 20 Reputation points
2023-05-11T02:38:02.6433333+00:00 Update, Azure support team confirmed that no staff actioned the pending domain, the system updated it to validated automatically. They expect this to take 1 to 2 hours from the time the domain TXT auth is updated, but will raise the issue of the website being down for several hours.
I suggested a pre-verification stage, so this can be done before domain transfer, or a button to check the verification now.
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-05-11T12:07:17.4666667+00:00 Hello @Brett Andrew , thank you for the additional details. I've reached out to the Azure Front Door Product Group team to discuss this issue. Please allow me some time to get back to you with an update. Appreciate your patience and understanding on this matter.
-
Denis Couto 0 Reputation points
2023-05-24T01:32:16.46+00:00 Hey @Brett Andrew w I feel your pain.I am facing a similar situation with my environment where I want to onboard a customer's domain, which is a public institution, meaning any simple change take days to happen.
@GitaraniSharma-MSFT did you hear anything back from the Product Team? Would be great if you could share the PM contact as well. Considering the global reach of AFD and how you necessarily need to get DNS and propagation right for it to work properly, this is far from being a small thing. Well known applications went down because of DNS misconfiguration.
I found this post on TechCommunity where @Aarthi Sukumar goes through the same process but his interface the button @Brett Andrew and I are looking for. See below:
What happens to that button? Any similar function exists via API or CLI?
Regards.
Denis Couto
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-05-27T11:26:39.3333333+00:00 Hello @Brett Andrew & @Denis Couto ,
Apologies for the delay in response.
I had a discussion with the Azure Front Door Product Group team regarding this issue and below are some points that I would like to share:
Azure Front Door's certificates are issued by our partner certification authority, DigiCert. Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain#managed-certificate-issuance
And per DigiCert,
After submitting your public SSL/TLS certificate order, submitting a domain for pre-validation, or changing the DCV method for a domain, DCV polling begins immediately and runs for one week:
- Interval 1—Every minute for the first 15 minutes
- Interval 2—Every five minutes for an hour
- Interval 3—Every fifteen minutes for four hours
- Interval 4—Every hour for a day
- Interval 5—Every four hours for a week*
*After Interval 5, we stop checking. If you haven't placed the fileauth.txt file on your domain or added the random value to your DNS TXT or DNS CNAME records by the end of the first week, you'll need to run the check yourself. Running the check also restarts the DCV polling for another week.
To summarize, if the DNS records are there, DigiCert should complete validation within minutes, but eventually they stop checking after one week. And if you fixed your TXT record after DigiCert has stopped checking, then it is a manual trigger again.
Now, the Azure Front Door Product Group team has asked for some examples of TXT validation taking too long, so that they can check from our telemetry and confirm the end user experience.
So, if you have any recent support cases where you reported such incidents, I would request you to share those with me and I will forward them to the PG team for further investigation.
To share the support case numbers, please send an email to us with subject line "ATTN gishar | Azure Front Door Validation TXT - stops being checked" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.
- Reference this Q&A thread
- Your Azure Subscription ID
- Previous support case numbers (better share the recent ones which were closed in the last 45 days, if any)
Note: Do not share any PII data as a public comment.
Regards,
Gita
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-06-26T12:36:52.8566667+00:00 Hello @Brett Andrew & @Denis Couto ,
Below is the answer to your question regarding the "Update" button missing which shows up in the Techcommunity blog.
If your domain is not created with Azure DNS, the portal UI won't offer "Update" button for you to complete adding DNS TXT value by one-click.
As you can see in the step 1 of the techcommunity blog, the domain was added using Azure managed DNS.
Kindly let us know if the above helps or you need further assistance on this issue.
In case you need further assistance, please send us an email as advised in my previous comment with the requested details.
Regards,
Gita
-
Bron Thulke 15 Reputation points
2023-08-06T01:20:10.8133333+00:00 We are affected by this diminishing return on polling frequency, especially because we have clients who can be slow to get around to changing DNS. We are about to go through the process of moving about 45 client domains to our Front Door, and this will be a very poor experience for those clients if delays by them lead to issues with the migration. If there could just be a button to say "manually check now" that would help. I understand this is Digicert implementing this polling, but I know with other CA's they have an interface to manually recheck if there was a delay in adding the DNS, so hopefully they can do the same.
-
Denis Couto 10 Reputation points
2023-08-07T13:37:12.79+00:00 @GitaraniSharma-MSFT Thank you for the updates! Valuable information regarding the polling.
It is not that clear when using a 3rd party DNS provider the bit that validates the domain, one of the critical phases, offer less control when comparing to Azure DNS.I agree with @Bron Thulke , changing DNS is not a simple task in a lot of companies, offering more flexibility at this stage would help a lot when onboarding customer's domains.
Any comments from the Product team in this regard would be highly appreciated. Even some guidance on how to deal with the scenarios described by the other engineers on this thread.
Cheers.
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-08-21T06:43:34.7033333+00:00 Hello @Denis Couto , I will try to get some guidance on this from the Product Group team and keep you posted.
-
Brett Andrew 20 Reputation points
2023-08-21T07:05:19.2+00:00 Maybe a button might be just to reset back to Interval 1? checking every 1 minute for the next 15 minutes would be perfect.
-
Chibuikem Akpaka 6 Reputation points
2023-10-22T23:32:27.7766667+00:00 I observed that the issue was with the record name, for my domain provider (WhoGoHost), when attempting to create a TXT record with a fully qualified domain name like '_dnsauth.api.contoso.com' the record remains in a 'pending' state indefinitely. However, I found a workaround by setting the record name as '_dnsauth.api.' It appears that the system already recognizes the domain 'contoso.com,' so when I add a record for '_dnsauth.api.contoso.com,' it inadvertently appends an additional '.contoso.com,' resulting in '_dnsauth.api.contoso.com.contoso.com.'"
-
GitaraniSharma-MSFT 46,261 Reputation points • Microsoft Employee
2023-10-27T12:41:57.3466667+00:00 <<<UPDATE>>>
Hello @Brett Andrew , @Denis Couto & @Bron Thulke ,
Please find the recent updates from the Azure Front Door Product Group team on this issue below:
The challenge is totally understood, and we are working with Key Vault team to optimize this experience. We assume this issue is only with managed certificates since we already support BYOC based domain validation which is instant. We’ve discussed all possible options, and figured out the best option and will be implementing the changes soon.
Regards,
Gita
Sign in to comment