Root domain configuration not working

I’ve added the domain to my site, and added the CNAME entry for the www subdomain and the A record for the root domain as requested.

But the root domain is stuck with the “Check DNS configuration” message, even though the redirection works for me, and I also have the " Waiting on DNS propagation" message for the SSL certificate.
I tried clicking on the “verify DNS configuration” button which then display " DNS verification was successful" but if I come back to this configuration page the first message is here again…

I don’t seem to figure out what’s wrong and even if the site is workign it appears “insecure” to user due to the lack of proper SSL certificate.

Can you help?

@Lionel-Daelemans Welcome to the Netlify community.

How long ago did you make this DNS changes? I ask because none has propagated from yet.

Also, you need to turn off DNSSEC in your dashboard.

By the way, you seem to have included the full domain name in the absolute links to your site assets, which can be a problem. For example, when I try to visit, the site loads without CSS because you have in the path to the CSS asset.

The DNS changes were made 5hours ago but things seems to be on and off… As my original post stated, the were showing ok at first but now it also have the “check DNS configuration” message.

I don’t know if the DNSSEC is on in Gandi config but will check it.

And I will also check to update assets to relative paths.

I’ve just deployed a new version with all relative links so the site should display properly regardless of the domain.

As for the DNS config, I’m back to the state of my original post. The CNAME entry for seems to be good, but the A record for the root domain show the “check DNS configuration” message.

And same behavior for the SSL certificate. Still show “Waiting on DNS propagation” message, still validate alright but revert back to waiting if I come back to the page.

I’ve checked and DNSSEC is indeed activated in Gandi but it is needed for some other use of the domain. What’s the problem regarding DNSSEC? I could give you in private the full records if that can help to adjust the config.

@Lionel-Daelemans DNS records can take up to 48 hours to propagate.

@Lionel-Daelemans DNSSEC is not supported on Netlify. From what I understand, having it enabled will prevent SSL issuance.

Much better. The page looks correct now.

So quick update. I’ve found that there was an A record for the root domain that was conflicting with the one asked by netlify. one was registered with an @ and the other with so the conflict was not picked up by gandi.

Regarding this I’m not sure what is the correct way to set up the record (using @ or explicitly writing the root domain).

As of now, the root domain still displays the “check DNS configuration” message but somehow the SSL certificate as been generated and the site seems to be working just fine.

For the record, I’ve not turned off DNSSEC.

Hi, @Lionel-Daelemans. The apex domain isn’t working because the required A record for it doesn’t exist.

The www subdomain does work because there is a CNAME for that domain name:	1800	IN	CNAME

We won’t be able to issue SSL certificates for the apex domain until the A record is created. There is more about the DNS records required for our hosting here:

If you want both and to both work, please try adding the A record (or, preferably, some type of alias/glue record if possible).

About the DNSSEC, this site is using the external DNS instructions. DNSSEC does work correctly with that method.

If you wanted to switch to Netlify DNS in the future, then DNSSEC must be disabled first. Our service doesn’t support DNSSEC at this time.

Again, though, I do see DNSSEC enabled for this apex domain and that is completely fine with the current DNS configuration. It will work correctly.

If there are other questions, please let us know.

Hi Luke and thanks for the reply.

As I stated in my previous message, there is indeed an A record but I was unsure about the correct syntax of it (DNS config is not my expertise). I set it up according to Netlify suggested syntax : 1800 IN A
But it’s been 24 hours now and the record still doesn’t show up in DNS lookup. So I’ve modified it for the syntax suggested by my registrar for apex domain :
@ 1800 IN A

I’ll check if that way the A record show up and if that solves the problem for Netlify.

Hi, @Lionel-Daelemans. I think the record should be entered as being for one of the following:

  • (with an ending dot)

or as:

  • @

Entering the record without an ending dot, in many cases, appends those domain names to the apex domain. I believe that is the case here:

$ dig  +noall +answer

; <<>> DiG 9.10.6 <<>> +noall +answer
;; global options: +cmd 1800 IN A

With a lookup for just the apex domain, there is no answer:

$ dig  +noall +answer

; <<>> DiG 9.10.6 <<>> +noall +answer
;; global options: +cmd

Adding a dot to the end or changing the to @ in the record should resolve this.

Gandi talks a bit about using @ in their A record documentation here:

If there are other questions, please let us know.