[Support Guide] Why do DNS / SSL changes take up to 48 hours to propagate? (TTL)

Last reviewed by Netlify Support on August 2023

How do time to live (TTL) values affect changes to DNS records?

People often ask why the changes to DNS (Domain Name System) records are not taking effect. The answer to this often involves a core mechanism of how DNS functions - the “time to live” (TTL) values for the DNS records themselves.

This topic is here to answer those questions! :+1:!

If you’d prefer a TL:DR; in the form of a video, check this out:

(Link to minimal downtime guide referenced in the video)

Otherwise, please read on :slight_smile:.

You might make a DNS record change, double check that it is working for you, but Netlify or Google’s DNS still shows the previous DNS record. Why don’t Netlify, Google, or someone else on the internet see what you see?

The answer is almost always that the previous records and their values are cached (stored temporarily) because of the TTL values in the DNS records themselves.

In most cases, all you can do is wait for the previous records to expire. There is very little that can be done besides waiting. However, if you know about this in advance, you can avoid the delay!

So how do we deal with or prevent these delays? The best way is to be aware of the TTL and reduce it in advance of a change. We have a different community Support Guide about this here:

If you want to learn more about TTLs values and DNS record caching, please continue reading.

What is a TTL value?

Let’s take an example, using our own domain netlify.com. We can use the command line tool dig for nearly all DNS related troubleshooting. It can be installed on most operating systems (including Windows). Here is an example of using dig to find the name server (NS records) for netlify.com:

$ dig netlify.com NS  +noall +answer

; <<>> DiG 9.10.6 <<>> netlify.com NS +noall +answer
;; global options: +cmd
netlify.com.		3600	IN	NS	dns1.p04.nsone.net.
netlify.com.		3600	IN	NS	dns2.p04.nsone.net.
netlify.com.		3600	IN	NS	dns3.p04.nsone.net.
netlify.com.		3600	IN	NS	dns4.p04.nsone.net.
netlify.com.		3600	IN	NS	ns01.netlifydns.com.
netlify.com.		3600	IN	NS	ns02.netlifydns.com.
netlify.com.		3600	IN	NS	ns03.netlifydns.com.
netlify.com.		3600	IN	NS	ns04.netlifydns.com.

The second field is the TTL value. The TTL values for all records above are 3600. So, what does this value do?

How does the TTL value operate?

DNS is both recursive and distributed. Each domain name has an authoritative DNS server or servers. Other DNS servers query the authoritative servers and cache the record for as long as the TTL value (a time in seconds) indicates to cache them.

This caching helps to reduce the load on the authoritative servers and to make responses faster by having the local DNS server skip lookups for records it has already requested and cached.

An example

For netlify.com, the authoritative DNS servers are the ones listed above.

Your internet service provider (ISP) provides you with a DNS server. It is likely that many other people using your ISP also visit Netlify’s site. When your ISP looks up a DNS record it creates work for the authoritative name servers it queries.

To reduce that load on the authoritative servers, other name servers (like the ones at your ISP) are both allowed and recommended to cache DNS records for a number of seconds - that number being the TTL value in the record itself.

The process works like this:

  1. A user’s computer at an ISP (let’s call them ISP A) makes a DNS lookup for the Netlify NS records above. We’ll call this person’s computer “system #1”.
  2. The local DNS server used by all the users at the ISP A makes a DNS lookup and receives the records above.
  3. The DNS server at the ISP returns those records to the system that requested them - system #1.
  4. A second user with a different computer (we’ll call it system #2) but the same ISP also requests these same records.
  5. The DNS server will see those records have recently been requested and that locally cached copies of the records are available. Instead of asking for the same records again, the ISP A’s DNS server will return the cached records.

Why is the record cached? To reduce the load on the authoritative server and internet traffic in general.
If the DNS record is in the cache, the query never leaves the ISP’s data center. Also, if the authoritative server goes offline the cached records will mean people can still visit that domain until the TTL expires. This caching is part of how internet networking is designed.

How does this affect DNS record changes?

The TTL will tell your ISP’s DNS server to not request the record again and use the cached record from the first query until the TTL expires.

This means that if you change the record on the authoritative server, the downstream servers won’t even try to check those records until the previous records have expired.

If we were to change our name servers for netlify.com it could take 3600 seconds (1 hour) for the records to change when people at ISP A request the servers. (There are workarounds to avoid these delays and there is more about this in the common issue linked to above.)

If we change the record on our authoritative server, the ISP A server won’t see it until the cached record expires.

Now what if the the TTL value is 86400? (This TTL value of 86400 is a requirement for NS records at some top-level domains - for example domains ending in .is.) You can see more about that in this topic.

If someone makes a change to the NS records at their domain registrar for a .is domain, it can take 86400 seconds (which is 24 hours) for the records to update for everyone else using the internet.

Summary

The key point here is that changes to DNS records can take time to take effect on the internet. You can update your DNS records but that doesn’t mean that everyone on the internet will see it immediately.
These changes can sometimes take 24 hours (or more!!!) to take effect. This depends on the TTL value in the previous - not the new record.

Google offers a tool to expire records from their public DNS servers, however, that only helps for people using those servers. If people use the DNS servers for their ISP, the changes on the Google DNS won’t affect them.

The best solution is the one at the top of this topic - reduce the TTL in advance. Preparation is the surest way to avoid TTL issues when changing records.

If there are other questions about TTLs, DNS, and how they relate to hosting sites at Netlify, please ask them below. We’ll be happy to answer!

I’m setting up some DNS stuff and decided to use netlifys DNS offering. So obviously I have to port over all the DNS records from previous service. My question is when it comes to google MX, TXT , SPF records or CNAMES for their services is the period at the end important? Do I leave it on of remove it when entering data into netlify DNS records?

e.g. 1 aspmx.l.google.com. or 1 aspmx.l.google.com

Similarly do the TXT records or SPF records include or omit the double quotes?

e.g is it “v=spf1 include:_spf.google.com ~all” or v=spf1 include:_spf.google.com ~all

Does this matter, will it break my DNS!!
Dave

Quick answers to your questions:

  1. you do not need the trailing dot in our settings. It varies by service, but we don’t need it.
  2. you do not need the quotes on SPF records - we’ll quote for you automagically.

if the trailing dots are included will it break DNS?

tl;dr - You don’t need to include it. :slight_smile:

@DaveHarrison, behind the scenes, all top-level domains have an ending dot. However, almost no software (other than DNS name servers themselves) ever include it.

So, technically speaking, example.com is in reality example.com. with a dot at the end.

However, practically speaking, almost no user interface will ever show those ending dots (not even a web interface for a DNS zone configuration).

The dots appear in the DNS responses in the topic above only because they are in the responses from the DNS server (which, as mentioned, is one of the rare types of software that includes or displays them).

With Netlify DNS, regardless of if you include the trailing dot or not, we’ll “do the right thing”. It will work with or without correctly. (By this I mean that our DNS servers always includes the trailing dot it because the DNS standard says to do so.)

1 Like

Completely new to all of this, but it makes sense. I’m still confused, however. Why it’s taking 24hrs already to point the name servers from namecheap to netlify, when I don’t have a site yet. There’s no need to wait for the cache to expire.

In short, all ISPs and providers between us, NS1, your registrar, Let’s Encrypt, and you, need to be aware of the changes. This is the process which can take time and, regrettably, we’re at the mercy of these intermediaries to determine how quick it happens!

1 Like

Thanks Pie! So all I need to do is

  1. go to your domain registrar and change your domain’s nameservers to the following custom host names assigned to your DNS zone. (which I’ve done)
  2. Be patient :slight_smile:

Exactly that! Usually within a couple of hours, the DNS/SSL sections within the Netlify UI will suddenly ‘just work’ :tada:

Sorry, me again
what does this mean


have the DNS changes taken place
but in my Netlify UI is still see this

Hi, @ck1ldn. You are seeing a “start of authority” or SOA record for the DNS zone. DNS servers send SOA records when they don’t have an answer for a query but do have a DNS zone configured for the apex domain in question.

On other words, the DNS lookup couldn’t find the A record so it sent the SOA for the zone instead.

I’ve looked at the DNS zone for this custom domain at Netlify and there are no A records (or NETLIFY type records) configured for this zone. NETLIFY type DNS records are special “alias” records our service uses and you can find more information about them in this support guide.

If you add an apex domain to a site (or some subdomain of that apex), Netlify DNS will automatically create the NETLIFY type records needed. Because this hasn’t been done for any sites, there are no NETLIFY records.

I also don’t see any sites on the account where this domain is configured. So, step one will be to deploy your site. Once the site is deployed, then you can add the custom domain to the site using these instructions:

https://docs.netlify.com/domains-https/custom-domains/#assign-a-domain-to-a-site

If there are other questions about this, please let us know.

1 Like

THANK YOU SO MUCH! I know where I went wrong, well after you told me :slight_smile: and what I didn’t understand :slight_smile: All up and running and site is live. Just need to tinker around with it.

2 Likes

Hi, @ck1ldn. Thanks for letting us know it is working now and thanks as well for letting us know if our suggestions were helpful or not. (The feedback helps!) :smiley: