The following error occurs repeatedly when clicking Verify after validating that the DNS record has propagated correctly for a custom domain.

A new TXT value has been generated. Update your DNS record with the new TXT value, wait for it to propagate, and then return here to verify.

• Add custom domain
• Creating custom domain

Scenario 1: CAA Record Configuration

• Checking the CAA record shows the allowed CA. However, if letsencrypt.org is not listed, the DNS verification will fail as Okta uses Let's Encrypt to generate Okta-managed certificates.

Scenario 2: DNS Propagation

• Time tak/en for DNS propagation.
• Clicking verify causes the system to check for the TXT record; however, subsequent checks are not possible, nullifying the original value.
• A new value is then generated, forcing the process to restart.

Performing a dig command  dig customdomain.com CAA displays the following in the DNS records: customdomain.com 300 IN CAA 0 issue "0 issue letsencrypt.org".

Follow these steps to resolve the error message based on the specific scenario:

Scenario 1: CAA Record Configuration

• When an Okta-managed TLS certificate is used, a Certificate Authorization Authority (CAA) record is not required. This is referenced in the Customize domain and email address documentation. If a CAA record exists, however, consider the following:
  
  • If it is the first time setting up a custom domain URL with an Okta-managed certificate, please add letsencrypt.org to the issuers list, or Okta cannot get the TLS certificate. Please check the Let's Encrypt - Using CAA documentation for more details.
  • If an Okta-managed TLS certificate exists and a CAA record is later added, Okta might be unable to renew the certificate if letsencrypt.org is not included in the CAA record.
  • It is recommended to create the custom domain only with the TXT and CNAME records, not with the CAA record.
    • A CAA (Certification Authority Authorization) record is a type of DNS record that specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for the domain. It helps prevent unauthorized certificate issuance and improves domain security.
    • When using Okta-managed certificates, the Admin page displays the required DNS records, including the CAA record, which is shown as optional. This is because not all domains have these types of records.
• The DNS Lookup can also be used for CAA Validation.

Scenario 2: DNS Propagation

1. DNS propagation for a TXT record can take anywhere between 48 and 72 hours to occur worldwide.
2. Once the TXT record is added, one would need to wait until the records can be queried and validated for that duration of time.
3. The DNS Lookup tool lets us check whether a particular domain has had its TXT record propagated.
4. The CHECK DNS PROPAGATION tool allows us to check whether the record has propagated worldwide.
5. Once validated, it's best to hold off on the next step for a few more hours to ensure all DNS records are validated before clicking verify.