Azure Front Door Validation TXT - stops being checked

Question

Azure Front Door Validation TXT - stops being checked

Brett Andrew 5

This happens frequently when a client delays in updating the TXT record.

We send them the DNS settings, including the TXT _dnsauth.yourdomain.com which is required to validate the domain.

Often this expires and we have to generate a new one.

But if not expired, the client makes the update and the record remains as "pending" indefinitely. I have to log a ticket with support to get them to fix it.

Is there a timer that this goes on? This is a major issue as we want to use this service regularly, e.g. daily.

GitaraniSharma-MSFT 32,636 Reputation points Microsoft Employee

2023-05-10T13:55:25.48+00:00

Hello @Brett Andrew ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

If I understand correctly, you are facing issues with the TXT record expiring when adding custom domain to Azure Front Door, is that correct?

You've mentioned that you want to use this service daily. Could you please clarify if you add custom domains to your Azure Front Door daily?

Also, could you please confirm if the domain validation state is getting stuck in pending state every time?

Regards, Gita
Brett Andrew 5 Reputation points

2023-05-10T22:56:22.8166667+00:00

The issue of a TXT record for validation expiring is the first issue, the bigger the company the longer the delay in having DNS settings changed, but even small companies can take a long time as they do not know what or how to do this.

The second issue is the long delay (up to 2 hours+) of the TXT record being validated if the client takes longer than an hour to action the request. The symptom is that the TXT record is there and we can test and see that, but Azure Front Door (Standard) has the domain as "Pending" and this is where the bigger issue rises:

We are at the mercy of some backoffice batch job or manual task at Azure to validate the domain, so when a new client switches their live website (some with 1 million views per month) and they get the dreaded "<h2> Our services aren't available right now..." message and we cannot give them a reasonable estimate as to when the TXT record will be validated.

We are forced to log a ticket within Azure, after several hours the domain is validated and the SSL certificate is generated, I honestly do not know at this point if it is only being validated because we raised the ticket or if there is a batch job running behind the scenes, if you could clarify for others that would be great.

All other services similar to this within Azure such as validating domains for App Services seem to be able to allow us to validate it live, where the Azure Standard TXT validation is a risk/unknown process.

A solution would be an icon or a button that says "check validation now" would be ideal, we know the TXT record has propagated globally (using 3rd party tools), so we know it should work. If not we know there is a configuration error.

We have clients go live daily and we will automate this via APIs at some point, but first want to get the process right. Is there a better way we can have this domain validated so we don't hit this issue every time?
Brett Andrew 5 Reputation points

2023-05-11T02:38:02.6433333+00:00

Update, Azure support team confirmed that no staff actioned the pending domain, the system updated it to validated automatically. They expect this to take 1 to 2 hours from the time the domain TXT auth is updated, but will raise the issue of the website being down for several hours.

I suggested a pre-verification stage, so this can be done before domain transfer, or a button to check the verification now.
GitaraniSharma-MSFT 32,636 Reputation points Microsoft Employee

2023-05-11T12:07:17.4666667+00:00

Hello @Brett Andrew , thank you for the additional details. I've reached out to the Azure Front Door Product Group team to discuss this issue. Please allow me some time to get back to you with an update. Appreciate your patience and understanding on this matter.
Denis Couto 0 Reputation points

2023-05-24T01:32:16.46+00:00

Hey @Brett Andrew w I feel your pain.I am facing a similar situation with my environment where I want to onboard a customer's domain, which is a public institution, meaning any simple change take days to happen.

@GitaraniSharma-MSFT did you hear anything back from the Product Team? Would be great if you could share the PM contact as well. Considering the global reach of AFD and how you necessarily need to get DNS and propagation right for it to work properly, this is far from being a small thing. Well known applications went down because of DNS misconfiguration.

I found this post on TechCommunity where @Aarthi Sukumar goes through the same process but his interface the button @Brett Andrew and I are looking for. See below:

What happens to that button? Any similar function exists via API or CLI?

Regards.

Denis Couto
GitaraniSharma-MSFT 32,636 Reputation points Microsoft Employee

2023-05-27T11:26:39.3333333+00:00
Hello @Brett Andrew & @Denis Couto ,

Apologies for the delay in response.

I had a discussion with the Azure Front Door Product Group team regarding this issue and below are some points that I would like to share:

Azure Front Door's certificates are issued by our partner certification authority, DigiCert. Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain#managed-certificate-issuance

And per DigiCert,

After submitting your public SSL/TLS certificate order, submitting a domain for pre-validation, or changing the DCV method for a domain, DCV polling begins immediately and runs for one week:

Interval 1—Every minute for the first 15 minutes

Interval 2—Every five minutes for an hour

Interval 3—Every fifteen minutes for four hours

Interval 4—Every hour for a day

Interval 5—Every four hours for a week*

*After Interval 5, we stop checking. If you haven't placed the fileauth.txt file on your domain or added the random value to your DNS TXT or DNS CNAME records by the end of the first week, you'll need to run the check yourself. Running the check also restarts the DCV polling for another week.

Refer: https://docs.digicert.com/en/certcentral/manage-certificates/automatic-domain-control-validation-checks.html

To summarize, if the DNS records are there, DigiCert should complete validation within minutes, but eventually they stop checking after one week. And if you fixed your TXT record after DigiCert has stopped checking, then it is a manual trigger again.

Now, the Azure Front Door Product Group team has asked for some examples of TXT validation taking too long, so that they can check from our telemetry and confirm the end user experience.

So, if you have any recent support cases where you reported such incidents, I would request you to share those with me and I will forward them to the PG team for further investigation.

To share the support case numbers, please send an email to us with subject line "ATTN gishar | Azure Front Door Validation TXT - stops being checked" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.

Reference this Q&A thread

Your Azure Subscription ID

Previous support case numbers (better share the recent ones which were closed in the last 45 days, if any)

Note: Do not share any PII data as a public comment.

Regards,

Gita

GitaraniSharma-MSFT 32,636 Reputation points Microsoft Employee

2023-05-10T13:55:25.48+00:00

Hello @Brett Andrew ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

If I understand correctly, you are facing issues with the TXT record expiring when adding custom domain to Azure Front Door, is that correct?

You've mentioned that you want to use this service daily. Could you please clarify if you add custom domains to your Azure Front Door daily?

Also, could you please confirm if the domain validation state is getting stuck in pending state every time?

Regards, Gita
Brett Andrew 5 Reputation points

2023-05-10T22:56:22.8166667+00:00

The issue of a TXT record for validation expiring is the first issue, the bigger the company the longer the delay in having DNS settings changed, but even small companies can take a long time as they do not know what or how to do this.

The second issue is the long delay (up to 2 hours+) of the TXT record being validated if the client takes longer than an hour to action the request. The symptom is that the TXT record is there and we can test and see that, but Azure Front Door (Standard) has the domain as "Pending" and this is where the bigger issue rises:

We are at the mercy of some backoffice batch job or manual task at Azure to validate the domain, so when a new client switches their live website (some with 1 million views per month) and they get the dreaded "<h2> Our services aren't available right now..." message and we cannot give them a reasonable estimate as to when the TXT record will be validated.

We are forced to log a ticket within Azure, after several hours the domain is validated and the SSL certificate is generated, I honestly do not know at this point if it is only being validated because we raised the ticket or if there is a batch job running behind the scenes, if you could clarify for others that would be great.

All other services similar to this within Azure such as validating domains for App Services seem to be able to allow us to validate it live, where the Azure Standard TXT validation is a risk/unknown process.

A solution would be an icon or a button that says "check validation now" would be ideal, we know the TXT record has propagated globally (using 3rd party tools), so we know it should work. If not we know there is a configuration error.

We have clients go live daily and we will automate this via APIs at some point, but first want to get the process right. Is there a better way we can have this domain validated so we don't hit this issue every time?
Brett Andrew 5 Reputation points

2023-05-11T02:38:02.6433333+00:00

Update, Azure support team confirmed that no staff actioned the pending domain, the system updated it to validated automatically. They expect this to take 1 to 2 hours from the time the domain TXT auth is updated, but will raise the issue of the website being down for several hours.

I suggested a pre-verification stage, so this can be done before domain transfer, or a button to check the verification now.
GitaraniSharma-MSFT 32,636 Reputation points Microsoft Employee

2023-05-11T12:07:17.4666667+00:00

Hello @Brett Andrew , thank you for the additional details. I've reached out to the Azure Front Door Product Group team to discuss this issue. Please allow me some time to get back to you with an update. Appreciate your patience and understanding on this matter.
Denis Couto 0 Reputation points

2023-05-24T01:32:16.46+00:00

Hey @Brett Andrew w I feel your pain.I am facing a similar situation with my environment where I want to onboard a customer's domain, which is a public institution, meaning any simple change take days to happen.

@GitaraniSharma-MSFT did you hear anything back from the Product Team? Would be great if you could share the PM contact as well. Considering the global reach of AFD and how you necessarily need to get DNS and propagation right for it to work properly, this is far from being a small thing. Well known applications went down because of DNS misconfiguration.

I found this post on TechCommunity where @Aarthi Sukumar goes through the same process but his interface the button @Brett Andrew and I are looking for. See below:

What happens to that button? Any similar function exists via API or CLI?

Regards.

Denis Couto

Azure Front Door Validation TXT - stops being checked

Activity