Root domain configuration not working

Lionel-Daelemans · October 2, 2020, 8:47am

I’ve added the domain www.vitaprotech.com to my vitaprotech.netlify.app site, and added the CNAME entry for the www subdomain and the A record for the root domain as requested.

But the root domain is stuck with the “Check DNS configuration” message, even though the redirection works for me, and I also have the " Waiting on DNS propagation" message for the SSL certificate.
I tried clicking on the “verify DNS configuration” button which then display " DNS verification was successful" but if I come back to this configuration page the first message is here again…

I don’t seem to figure out what’s wrong and even if the site is workign it appears “insecure” to user due to the lack of proper SSL certificate.

Can you help?

gregraven · September 28, 2020, 2:38pm

@Lionel-Daelemans Welcome to the Netlify community.

How long ago did you make this DNS changes? I ask because none has propagated from gandi.net yet.

Also, you need to turn off DNSSEC in your gandi.net dashboard.

By the way, you seem to have included the full domain name in the absolute links to your site assets, which can be a problem. For example, when I try to visit vitaprotech.netlify.app, the site loads without CSS because you have vitaprotech.com in the path to the CSS asset.

Lionel-Daelemans · September 28, 2020, 2:46pm

The DNS changes were made 5hours ago but things seems to be on and off… As my original post stated, the www.vitaprotech.com were showing ok at first but now it also have the “check DNS configuration” message.

I don’t know if the DNSSEC is on in Gandi config but will check it.

And I will also check to update assets to relative paths.

Lionel-Daelemans · September 28, 2020, 3:19pm

I’ve just deployed a new version with all relative links so the site should display properly regardless of the domain.

As for the DNS config, I’m back to the state of my original post. The CNAME entry for www.vitaprotech.com seems to be good, but the A record for the root domain show the “check DNS configuration” message.

And same behavior for the SSL certificate. Still show “Waiting on DNS propagation” message, still validate alright but revert back to waiting if I come back to the page.

I’ve checked and DNSSEC is indeed activated in Gandi but it is needed for some other use of the domain. What’s the problem regarding DNSSEC? I could give you in private the full records if that can help to adjust the config.

gregraven · September 28, 2020, 3:33pm

@Lionel-Daelemans DNS records can take up to 48 hours to propagate.

gregraven · September 28, 2020, 3:35pm

@Lionel-Daelemans DNSSEC is not supported on Netlify. From what I understand, having it enabled will prevent SSL issuance.

gregraven · September 28, 2020, 3:36pm

Much better. The page looks correct now.

Lionel-Daelemans · September 28, 2020, 3:48pm

So quick update. I’ve found that there was an A record for the root domain that was conflicting with the one asked by netlify. one was registered with an @ and the other with vitaprotech.com so the conflict was not picked up by gandi.

Regarding this I’m not sure what is the correct way to set up the record (using @ or explicitly writing the root domain).

As of now, the root domain still displays the “check DNS configuration” message but somehow the SSL certificate as been generated and the site seems to be working just fine.

For the record, I’ve not turned off DNSSEC.

luke · September 29, 2020, 3:45am

Hi, @Lionel-Daelemans. The apex domain isn’t working because the required A record for it doesn’t exist.

The www subdomain does work because there is a CNAME for that domain name:

www.vitaprotech.com.	1800	IN	CNAME	vitaprotech.netlify.app.

We won’t be able to issue SSL certificates for the apex domain until the A record is created. There is more about the DNS records required for our hosting here:

If you want both www.vitaprotech.com and vitaprotech.com to both work, please try adding the A record (or, preferably, some type of alias/glue record if possible).

About the DNSSEC, this site is using the external DNS instructions. DNSSEC does work correctly with that method.

If you wanted to switch to Netlify DNS in the future, then DNSSEC must be disabled first. Our service doesn’t support DNSSEC at this time.

Again, though, I do see DNSSEC enabled for this apex domain and that is completely fine with the current DNS configuration. It will work correctly.

If there are other questions, please let us know.

Lionel-Daelemans · September 29, 2020, 12:30pm

Hi Luke and thanks for the reply.

As I stated in my previous message, there is indeed an A record but I was unsure about the correct syntax of it (DNS config is not my expertise). I set it up according to Netlify suggested syntax :
vitaprotech.com 1800 IN A 104.198.14.52
But it’s been 24 hours now and the record still doesn’t show up in DNS lookup. So I’ve modified it for the syntax suggested by my registrar for apex domain :
@ 1800 IN A 104.198.14.52

I’ll check if that way the A record show up and if that solves the problem for Netlify.

luke · October 2, 2020, 8:47am

Hi, @Lionel-Daelemans. I think the record should be entered as being for one of the following:

vitaprotech.com. (with an ending dot)

or as:

@

Entering the record without an ending dot, in many cases, appends those domain names to the apex domain. I believe that is the case here:

$ dig vitaprotech.com.vitaprotech.com  +noall +answer

; <<>> DiG 9.10.6 <<>> vitaprotech.com.vitaprotech.com +noall +answer
;; global options: +cmd
vitaprotech.com.vitaprotech.com. 1800 IN A	104.198.14.52

With a lookup for just the apex domain, there is no answer:

$ dig vitaprotech.com  +noall +answer

; <<>> DiG 9.10.6 <<>> vitaprotech.com +noall +answer
;; global options: +cmd

Adding a dot to the end or changing the vitaprotech.com to @ in the record should resolve this.

Gandi talks a bit about using @ in their A record documentation here:

If there are other questions, please let us know.