Stuck on Waiting on DNS propagation

Hi guys I’ve been able to successfully use Netlify DNS many times in the past and have letsencrypt certificates automatically issued with no problem. However, a particular domain I own - ritavilaret.com - doesn’t seem to work and it’s indefinitely stuck on “Waiting on DNS propagation”. Using dig locally and via the browser to inspect DNS returns all the expected “NS” entries.

Any help would be much appreciated. Many thanks !

Example debugging below, using an external DNS resolver from Google:

$ dig @8.8.8.8 NS ritavilaret.com

; <<>> DiG 9.10.6 <<>> @8.8.8.8 NS ritavilaret.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50891
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ritavilaret.com.		IN	NS

;; ANSWER SECTION:
ritavilaret.com.	299	IN	NS	dns1.p02.nsone.net.
ritavilaret.com.	299	IN	NS	dns2.p02.nsone.net.
ritavilaret.com.	299	IN	NS	dns3.p02.nsone.net.
ritavilaret.com.	299	IN	NS	dns4.p02.nsone.net.

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 23 12:34:20 GMT 2020
;; MSG SIZE  rcvd: 133

Hi, @nunogt, and welcome to our Netlify community site. :slight_smile:

It appears the name server (NS) records were added instead of changed. The WHOIS records shows AWS name servers:

$ whois ritavilaret.com | grep -i "name server"
   Name Server: NS-1085.AWSDNS-07.ORG
   Name Server: NS-155.AWSDNS-19.COM
   Name Server: NS-1558.AWSDNS-02.CO.UK
   Name Server: NS-873.AWSDNS-45.NET
Name Server: ns-1085.awsdns-07.org
Name Server: ns-155.awsdns-19.com
Name Server: ns-1558.awsdns-02.co.uk
Name Server: ns-873.awsdns-45.net

However, a traced DNS lookup shows those name server respond with the Netlify DNS name servers but that our name servers are not actually used:

$ dig ritavilaret.com NS  +trace | tail -n 18
;; Received 1175 bytes from 192.112.36.4#53(g.root-servers.net) in 74 ms

ritavilaret.com.	172800	IN	NS	ns-155.awsdns-19.com.
ritavilaret.com.	172800	IN	NS	ns-873.awsdns-45.net.
ritavilaret.com.	172800	IN	NS	ns-1558.awsdns-02.co.uk.
ritavilaret.com.	172800	IN	NS	ns-1085.awsdns-07.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200302054943 20200224043943 56311 com. G8dklsF4RlT6p0d3FsjNfd8sVdOGTdaojV5L2BjYh2nyj0D3+wvU2016 MuhRg1xzoALC/mSmjDFst2JwJlBarXPL59349jP1p3jZ4Ma4/cqxGS3A 8GbOedcGy+iiSqNIP9c11JmG54JmRzsqAuTZDuTXJCriFh64u1uC9eFw KBpgJ7AYdpZQ4R6SO0h7SrRdhpmeAf0uZfDOLsWP6P8eaw==
V1VJPN9AN35BDKI3SGRFIQQ5M9JR2L92.com. 86400 IN NSEC3 1 1 0 - V1VKKOMK6PSRVRE4PG6TSP4A42HSMBAN  NS DS RRSIG
V1VJPN9AN35BDKI3SGRFIQQ5M9JR2L92.com. 86400 IN RRSIG NSEC3 8 2 86400 20200229054425 20200222043425 56311 com. uA1wRgeVobjRx88B1m4eI48qyC/vJa+nXg157mWJfJpkWAellS+ojIb3 /j4KGh+ywTHMvNSMI5imAy7m41s1fQY30HZ5N5qdwPZI/sHS4+7Lh6VP Od47K74ALDdGXF6lK4YnmmrtLKxfNFI/yHP8XqRPRwUX5/COy0kuxirq BghBnFIB0aCwGS0kkmMQuGVVnwsTUIpHsCSwuH/a+9A4sw==
;; Received 746 bytes from 192.33.14.30#53(b.gtld-servers.net) in 12 ms

ritavilaret.com.	300	IN	NS	dns1.p02.nsone.net.
ritavilaret.com.	300	IN	NS	dns2.p02.nsone.net.
ritavilaret.com.	300	IN	NS	dns3.p02.nsone.net.
ritavilaret.com.	300	IN	NS	dns4.p02.nsone.net.
;; Received 133 bytes from 205.251.192.155#53(ns-155.awsdns-19.com) in 17 ms

The important detail above is that while dns1.p02.nsone.net through dns4.p02.nsone.net are returned as answers they are not the name servers used. The name server ns-155.awsdns-19.com is answering the request above at the end.

I believe the instructions for changing the name servers at Route 53 can be found here:

If there are other questions or concerns, please let us know.

Thanks @luke that was really helpful, I missed that important detail, which I’ve since rectified. Thanks for the help, all looking good now.