How can I troubleshoot Pending Verification domain name issues for VPC endpoint services?

Short description

The following are common reasons for the domain verification status to be stuck in the Pending Verification status:

• You're using a domain name that isn't owned by you or your organization.
• You created a TXT record in private zone file instead of public zone file.
• The domain registrar has the wrong name servers for your domain.

Note: For information on setting up a private DNS name for your VPC endpoint services, see How can I set up my VPC endpoint service to use a custom private DNS name?

Resolution

You're using a domain name that isn't owned by you or your organization

The endpoint service provider can only use a domain name that's owned by you or your organization as a private DNS name. For example, you can't use “amazonaws.com“ as the private DNS name because that domain is owned by Amazon.

You created a TXT record in a private zone instead of public zone

AWS verifies the ownership of the domain name provided under endpoint services. This is done by querying TXT records against the authorized public name server configured under the domain registrar. Verification fails if the user configured the TXT record on a private zone file because it can't be queried publicly.

You can check whether the TXT record value is created in the publicly-verifiable domain or not by using the nslookup command. This command works in both Windows and Linux machines:

nslookup -type=TXT _aksldja21i1.myexampleservice.com

If the TXT record was created in the publicly-verifiable domain, then you receive the domain verification value used while creating the TXT record as the output:

_aksldja21i1.myexampleservice.com text = "vpce:asjdakjshd78126eu21”

If the TXT record was created in the private hosted zone, then you receive output similar to the following:

_aksldja21i1.myexampleservice.com = "v=spf1 -all”

Note: You can also verify this information using any 3rd party websites, such as whatsmydns.

The domain registrar has the wrong name servers for your domain

For private DNS verification, AWS queries the public name servers that are registered under the domain registrar. So, it's important to make sure that the name servers in your public zone file matches the name servers of your registered domain at the registrar.

Note: If the verification status shows Pending Verification for a long time, then you can try manually starting the verification process. For more information, see Manage DNS names for VPC endpoint services.

Related information

You recently transferred DNS service to Amazon Route 53, but you didn't update the name servers with the domain registrar