Introduction

ACM DNS validation looks simple only when Route 53 hosts the authoritative zone for the requested name. Teams often add the validation CNAME to the parent zone even though the actual subdomain is delegated somewhere else, so ACM stays in Pending validation indefinitely.

Symptoms

  • The certificate remains in Pending validation long after the CNAME was added
  • Route 53 shows the expected record, but public DNS queries do not
  • The certificate targets a delegated subdomain rather than the root zone
  • Validation works for one domain branch but fails for another

Common Causes

  • The validation CNAME was added to the wrong hosted zone
  • The domain or subdomain is delegated to a different DNS provider
  • The CNAME name or target value was copied incorrectly
  • External DNS automation keeps overwriting the validation record

Step-by-Step Fix

  1. 1.Check the exact ACM validation record values
  2. 2.Do not reconstruct the CNAME by memory. Pull the exact name and value from ACM.
bash
aws acm describe-certificate --certificate-arn <cert-arn> --query 'Certificate.DomainValidationOptions[*].[DomainName,ResourceRecord.Name,ResourceRecord.Value]'
  1. 1.Trace authoritative DNS for the validation name
  2. 2.Query the real validation name so you can see which name servers are authoritative and whether the record is visible publicly.
bash
nslookup -type=CNAME _abcde.example.com
nslookup -type=NS example.com
  1. 1.Create the CNAME in the authoritative hosted zone
  2. 2.If the subdomain is delegated, update the delegated zone instead of the parent zone that only looks correct in the console.
json
{
  "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "_abcde.example.com.",
        "Type": "CNAME",
        "TTL": 300,
        "ResourceRecords": [
          { "Value": "_12345.acm-validations.aws." }
        ]
      }
    }
  ]
}
  1. 1.Verify public resolution before waiting on ACM again
  2. 2.ACM cannot validate what public DNS cannot resolve. Re-check the exact CNAME from an external resolver before assuming propagation is the issue.
bash
aws route53 change-resource-record-sets --hosted-zone-id Z123456789 --change-batch file://acm-validation.json
nslookup -type=CNAME _abcde.example.com 8.8.8.8

Prevention

  • Document which hosted zone is authoritative for every delegated subdomain
  • Automate ACM validation record creation in the DNS system that actually serves the zone
  • Verify authoritative name servers before troubleshooting propagation
  • Review DNS delegation whenever new environments or subdomains are introduced