SSL Certificate Not Provisioning

Netlify Site Name: exquisite-piroshki-ca8db5
Custom Domain:

I added the custom domain for my site last Thursday, then waited 24 hours for the DNS to propagate, which it did successfully. Both the bare and www custom domain are reporting as Netlify DNS. However, when trying to provision an SSL cert for the custom domain, I am getting the waiting on DNS propagation message and when I try to do it manually, I get

DNS verification failed

  • is not resolvable with a resolver that validates DNSSEC

If the DNS settings were not showing Netlify DNS, I would understand this message, but it has been over 2 days since that was set and I am still unable to have a cert generated.

Hi, @mytungsten. You have DNSSEC enabled for this domain at the registrar. Netlify DNS doesn’t support DNSSEC so this is causing all DNS lookups to fail.

There are two solutions.


  • disable DNSSEC at the registrar


  • stop using Netlify DNS for this domain and use the external DNS instructions instead

If there are questions for either solution, please let us know.

Around 2 weeks ago, the domain was transferred to me. The previous registrar had DNSSEC enabled, however my new one does not. I used to check and initially it came back with the old DNSSEC, however when I had it analyze the current state, it verified that it is not enabled. Is there a way to have Netlify recheck this or clear a DNS cache that might be returning the old response?

No one can do this below:

Is there a way to have Netlify recheck this or clear a DNS cache that might be returning the old response?

Netlify has no control over third-party DNS caches as DNS simply does not work that way. You might ask the designers of the DNS specification to modify it to allow this but, with the reality as it stands today, it is impossible for Netlify (or anyone else) to do so currently.

As a side note, Google itself makes it possible to clear the DNS caches for and here (which are the IP addresses for Google’s public DNS resolvers). Please also note, anyone can do that so you don’t need to ask us. You can clear that cache yourself if you believe it is the cause (but I do not believe it was).

There is a support guide with more information about DNS caching here:

That said, the previous DNS records do appear to have expired and DNS lookups are succeeding for that domain now.

You can use the URL below to test:

If there are other questions, we’ll be here.

When asking to clear the DNS cache, I was asking specifically for the SSL provisioning feature within Netlify because the domain list was showing Netlify DNS correctly and the two sections on the same screen were not showing the same information.

That being said, I can confirm that the SSL section is now reporting the correct DNS information and the certificate was generated after a couple of failed attempts.

1 Like