Apex custom domain stuck in "Validating" with empty errorMessage — DNS + asuid TXT verified, www on same SWA validates fine

[benjaminsheridan-hue]

Summary

SWA apex custom domain has been wedged in Validating status for 6+ days. Sibling www binding on the same resource validated cleanly in under 5 minutes and is currently Ready. The validator surfaces no error: errorMessage is empty/null throughout.

Resource

• Service: Azure Static Web Apps (Free tier)
• Region: East US 2
• Resource: swa-usevalentine (RG usevalentine-website-rg)
• Subscription ID: redacted — available privately to MSFT engineers on request
• Apex hostname: usevalentine.com
• DNS zone: Azure DNS, zone usevalentine.com in RG platform-prod, same sub
• Registrar: GoDaddy, NS delegated to ns1-08.azure-dns.com, ns2-08.azure-dns.net, ns3-08.azure-dns.org, ns4-08.azure-dns.info

Reproduction

az staticwebapp hostname set \
  --name swa-usevalentine --resource-group usevalentine-website-rg \
  --hostname usevalentine.com --validation-method dns-txt-token
# add asuid.usevalentine.com TXT matching validationToken, TTL 60

Current state (verified via Cloud Shell against ARM, 2026-05-28 ~02:13 UTC)

• Apex binding status: Validating
• validationToken: _52vtb67jw0r4rc18pcgd5yvcudq44d5
• asuid.usevalentine.com TXT (TTL 60) value: _52vtb67jw0r4rc18pcgd5yvcudq44d5 (matches)
• errorMessage: null
• Apex @ ALIAS A → swa-usevalentine (provisioning state Succeeded)
• Activity log: zero staticSites/customDomains events on this resource for 48+ hours
• Resource Health endpoint: returns UnsupportedResourceType for SWA
• Sibling www.usevalentine.com on same SWA: Ready (validated within minutes on 2026-05-22)

What I have already tried (none cleared the wedge)

1. Verified asuid TXT is globally resolvable via 8.8.8.8, 1.1.1.1, 9.9.9.9 — token matches.
2. Confirmed zero CAA records at the zone apex.
3. Deleted the apex ALIAS A, waited 8+ min — no change.
4. Full reset: deleted the binding, deleted asuid TXT, waited 60s for TTL, recreated binding with dns-txt-token, fetched fresh token, recreated matching asuid TXT — wedged again for 5+ min.
5. Attempted --validation-method dns-alias-token — not a valid CLI option (CLI only accepts cname-delegation and dns-txt-token). Apex effectively has only one validation path.
6. Re-staged apex ALIAS A first, then rebound with dns-txt-token and fresh matching TXT — wedged again for 6+ min.

History

• First attempt: 2026-05-22 17:51 UTC — stuck Validating ~70 min, no progress.
• Recreated binding: 2026-05-24 07:46 UTC — same wedge.
• Recreated again: 2026-05-28 02:00 UTC — same wedge.

Hypothesis

Server-side apex validator code path is wedged for this specific SWA resource. www path on the same resource validates cleanly, so the validator infrastructure itself is healthy — only the apex branch is broken. Internal validator logs should show what's happening.

Ask

• Could an SWA engineer poke the validator from the backend, or surface what's causing the silent retry loop?
• Is there a known issue with apex TXT validation right now, or a way to trigger a re-validation that bypasses the wedge?

Happy to share the subscription ID, resource ID, and Cloud Shell logs privately to anyone from the SWA team. Thanks!

[benjaminsheridan-hue]

Still wedged ~30h later. Apex usevalentine.com on swa-usevalentine (East US 2) remains in Validating with empty errorMessage. Verified again this morning: asuid TXT matches validationToken, no CAA records, sibling www still Ready on the same resource. Happy to provide subscription ID, resource ID, or fresh Cloud Shell state dump privately to anyone from the SWA team. Any chance someone can take a look at the validator's internal logs for this resource?