Share via

Azure Front Door domain validation stuck - DNS confirmed correct by diagnostics

Omar M 0 Reputation points
2026-02-13T06:14:30.2866667+00:00

Environment:

  • Azure Front Door Standard
  • Resource: community-wellness-frontdoor
  • Domains: wbcms.durri.org.au, wbapp.durri.org.au
  • Duration: 5+ hours in Pending validation state

Issue: Custom domain validation stuck in "Pending" state despite Azure's own diagnostics confirming DNS records are correct.

Azure Diagnostics Results:

✅ "The public DNS TXT record for _dnsauth.wbapp.durri.org.au correctly matches the expected value"

✅ "The public DNS TXT record for _dnsauth.wbcms.durri.org.au correctly matches the expected value" DNS Verification (nslookup):

✅ TXT records resolving correctly

✅ CNAME records pointing to AFD endpoint

✅ Full DNS chain validated Configuration:

✅ Domains associated with correct endpoints

✅ Routes properly configured

✅ Provisioning state: Succeeded

❌ Validation state: Pending (5+ hours)

Azure's diagnostics proves DNS is correct, but validation won't complete.

Cannot regenerate TXT as client has already configured DNS correctly in their timezone.

Is this a known platform issue?

How can I trigger manual validation?

Azure Front Door
Azure Front Door

An Azure service that provides a cloud content delivery network with threat protection.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thanmayi Godithi 7,110 Reputation points Microsoft External Staff Moderator
    2026-02-13T06:57:28.6366667+00:00

    Hi @Omar M,

    Thank you for reaching out on Microsoft Q&A forum.

    When a custom domain in Azure Front Door (Standard/Premium) remains in Pending state even though DNS diagnostics show correct records, please review the following:

    1.Verify public DNS propagation

    • Confirm the TXT record is publicly resolvable using tools like nslookup, dig, or online DNS checkers.
    • Ensure the TXT value exactly matches the value generated by Azure Front Door.
    • DNS propagation can vary depending on TTL and DNS provider.

    2.Confirm CNAME configuration

    1. Ensure the custom domain CNAME points to the correct Azure Front Door endpoint hostname (*.azurefd.net).
    2. Verify there are no conflicting or stale DNS records (old CNAMEs or TXT records).

    3.Validate Front Door configuration

    1. Confirm the custom domain is associated with the correct Front Door endpoint and route.
    2. Ensure the route provisioning state shows Succeeded.
    3. Make sure HTTPS settings (Azure-managed certificate or BYOC) are configured correctly.

    4.Check for CAA records

    1. If you are using an Azure-managed certificate, verify whether a CAA record exists on the domain.
    2. If present, ensure it allows Microsoft’s certificate authority (for example, DigiCert). Missing or restrictive CAA records can prevent validation even when TXT records are correct.

    5.Allow sufficient time

    1. In most cases validation completes automatically after DNS is detected.
    2. If the status remains Pending for an extended period despite correct DNS, backend verification from Microsoft may be required.

    Note: Even if the checks above have been completed, if the issue persists, we may need to resolve it from the backend. Could you please share the requested details with me via private message?

    Kindly let us know if the above helps or you need further assistance on this issue.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.