Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

VPC Lattice Domain Validation Failing Repeatedly Despite Correct DNS

-3

Suggested Post Content: Issue Summary: VPC Lattice domain validation has failed twice for the same domain despite perfect DNS configuration. This is blocking production deployment and may constitute a service quality issue under Australian Consumer Law.

Technical Details:

Domain: aws.example.com.au (redacted) Region: ap-southeast-2 Current Validation ARN: arn:aws:vpc-lattice:ap-southeast-2:redacted:domainverification/dv-redacted (redacted) Status: Pending validation for 36+ hours

DNS Configuration Verified Working:

dig @ns-redacted.awsdns-XX.net TXT aws.example.com.au aws.example.com.au. 300 IN TXT "vpc-lattice:redacted"

dig @ns-redacted.awsdns-XX.org TXT aws.example.com.au
aws.example.com.au. 300 IN TXT "vpc-lattice:redacted"

dig @ns-redacted.awsdns-XX.com TXT aws.example.com.au aws.example.com.au. 300 IN TXT "vpc-lattice:redacted"

Domain Delegation Confirmed:

dig +short SOA aws.example.com.au ns-redacted.awsdns-redacted.co.uk. awsdns-redacted-is-aws-going-to-make-this-inclusive.amazon.com. 1 7200 900 1209600 86400

The subdomain is properly delegated to Route 53 nameservers, and the TXT record resolves consistently across all authoritative servers with a 300-second TTL.

Previous Occurrence: This is the second time I've experienced this exact issue with VPC Lattice domain validation. The first occurrence also involved correct DNS configuration but failed validation, requiring workarounds.

Business Impact:

Production deployment blocked Cannot use advertised VPC Lattice custom domain feature Forced to implement temporary workarounds Australian Consumer Law Concerns: Under the Australian Consumer Law (Competition and Consumer Act 2010), services must:

Be fit for the purpose for which they are commonly bought (s54) Be of acceptable quality (s55) Match their description (s56) Domain validation is an advertised core feature of VPC Lattice. Repeated failures of this feature, combined with AWS requiring paid Business Support to resolve service defects, may constitute:

Breach of consumer guarantees Unconscionable conduct (requiring payment to fix service defects) Misleading conduct (advertising features that don't reliably work) Request:

Immediate escalation of domain validation issue Root cause analysis of why this validation process fails repeatedly Confirmation that AWS will resolve service defects without requiring paid support plans Technical Evidence Available:

Complete DNS trace results Validation ARN and timestamps Previous case reference (if available) This appears to be an AWS service-side issue rather than a configuration problem. The DNS is working perfectly, and this is the second occurrence of the same validation failure pattern.

Topics
Networking & Content Delivery
Tags
Amazon Route 53Route 53 ResolverAmazon VPC Lattice
Language
English
asked 2 months ago54 views
2 Answers
1

I understand your frustration with the domain validation issues you're experiencing with VPC Lattice. Let me provide some technical context about the domain verification process.

VPC Lattice domain verification uses a TXT record method to confirm domain ownership. When you initiate domain verification, the service generates a unique TXT record that must be added to your DNS configuration. The verification process checks for this TXT record and can result in three possible statuses: VERIFIED, PENDING, or VERIFICATION_TIMED_OUT.

Based on your description, your DNS configuration appears correct - you've confirmed the TXT record is properly configured and resolving across all authoritative nameservers. However, there are a few technical aspects to consider:

  1. Verification Timing: The domain verification process may take time to complete, even with correct DNS configuration. The system needs to successfully query and validate the TXT record.

  2. Verification Status: You can check the current status of your domain verification, including when it was created and last verified, to understand where the process stands.

  3. Timeout Scenarios: If verification takes too long, the status may change to VERIFICATION_TIMED_OUT, which would require starting a new verification attempt.

For your specific situation where validation has been pending for 36+ hours with confirmed correct DNS configuration, I recommend:

  • Verifying the exact TXT record value matches what was provided by VPC Lattice for your current verification attempt
  • Checking if there are any service health issues in the ap-southeast-2 region
  • Ensuring there are no conflicting DNS records or DNSSEC issues

Regarding your concerns about support requirements and consumer law, those are business and legal matters that fall outside my technical scope. For service-level issues, escalations, and business policy questions, you would need to engage with AWS Support or AWS account management directly.

If the technical configuration is definitively correct and the service is not functioning as documented, that would warrant investigation through AWS Support channels to identify any service-side issues.
Sources
get_domain_verification - Boto3 1.42.50 documentation
list_domain_verifications - Boto3 1.42.50 documentation
start_domain_verification - Boto3 1.42.50 documentation

answered 2 months ago
-3

Not exactly addressing the problem, 2 days + to validate a domain you host is far from acceptable.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content