Home
Support Forums

DNS verification failed for migrated site, using Netlify DNS

Hey,

I migrated my site, balinterdi.com to Netlify and started using Netlify DNS. I switched the name servers to the Netlify ones at my registrar which seems to have worked correctly:


However, DNS verification still fails in the SSL/TLS certificate section, with the error message:

balinterdi.com doesn’t appear to be served by Netlify

I tried to troubleshoot this, reading the DNS & HTTPS guide.

The curl command on that page that checks whether Netlify indeed serves the site passes, Server: Netlify is in the response:

$ curl -s -v http://balinterdi.com 2>&1 | grep Server
< Server: Netlify

The only weird thing I can see is that the dig response has an empty answer section, at least in the A section:

; <<>> DiG 9.10.6 <<>> balinterdi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53838
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
;; QUESTION SECTION:
;balinterdi.com.			IN	A

;; Query time: 60 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Oct 23 12:17:56 CEST 2020
;; MSG SIZE  rcvd: 49

I’d really appreciate any help with this, as my business site now has a broken https connection (and is thus blocked in major browsers).

Thank you very much,
Balint

@balinterdi I don’t know that I’ve ever seen this exact problem before. Whois reports your name servers correctly, but not dig. If you dig at the Netlify name servers, they know who you are, though.

In your position, I might try deleting and re-creating everything to see if it connects next time. Either that, or way for Netlify support to poke around.

Hey Greg,

Thank you very much for your response. When you say “delete and re-create everything”, do you mean the DNS records I created (well, copied) on Netlify or even setting the name servers to the Netlify ones at the registrar?

Thanks,
Balint

@balinterdi Sorry I wasn’t more clear. I would delete that site on Netlify, then re-create it via your git repository or via drag-n-drop (whichever you used previously). Netlify might assign you new name servers for the re-created site, so you would then have to edit those entries at name.com.

Thank you, that’s a great idea.

Unfortunately, it didn’t seem to have helped. I recreated the site almost 2 full days ago and I’m still getting the invalid certificate error in browsers. On the Netlify domain management page, the SSL/TLS certificate section shows “Waiting on DNS propagation” since the start:

(The name servers Netlify assigned to my site were the ones from before.)

Is that an improvement over the previous state? Do I just have to wait more?

Thank you.

@balinterdi I’m still seeing the same issue: Whois reports your name servers, but dig doesn’t. Time to get someone from Name or Netlify involved to resolve this issue.

1 Like

hi there, i have asked our DNS pro Luke to take a look at this when he comes on shift later. I am sure we can figure this out!

1 Like

Hi, @balinterdi. The domain has DNSSEC enabled and Netlify DNS doesn’t support DNSSEC:

$ whois balinterdi.com | grep DNSSEC
   DNSSEC: signedDelegation
   DNSSEC DS Data: 2371 13 2 11C934D34F9E2868A72F9F1E7EDDF8FE018D3070E3F812356C30162F797C26FD
DNSSEC: signedDelegation

This is why the DNS queries are failing. To resolve this, there are two solutions. You can either:

  • disable DNSSEC for this domain name

or:

These are the only two solutions for this issue.

​Please let us know if there are any questions about this issue or either solution.

Hey Luke,

Thank you a lot for your reply.

I disabled DNSSEC (I removed the single record that was present) and I’ve verified that it’s indeed been disabled:

$ whois balinterdi.com | grep DNSSEC
   DNSSEC: unsigned
DNSSEC: unSigned

I’m still getting the invalid certificate error, even from browsers that haven’t visited the site since it’s been broken. I guess this change needs to propagate like any other DNS change, doesn’t it?

As a reply to myself: yes, this seems to have worked this time.

Thanks a ton for your help, everyone!

1 Like