Stuck on Waiting on DNS propagation

Hi guys I’ve been able to successfully use Netlify DNS many times in the past and have letsencrypt certificates automatically issued with no problem. However, a particular domain I own - - doesn’t seem to work and it’s indefinitely stuck on “Waiting on DNS propagation”. Using dig locally and via the browser to inspect DNS returns all the expected “NS” entries.

Any help would be much appreciated. Many thanks !

Example debugging below, using an external DNS resolver from Google:

$ dig @ NS

; <<>> DiG 9.10.6 <<>> @ NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50891
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;		IN	NS

;; ANSWER SECTION:	299	IN	NS	299	IN	NS	299	IN	NS	299	IN	NS

;; Query time: 24 msec
;; WHEN: Sun Feb 23 12:34:20 GMT 2020
;; MSG SIZE  rcvd: 133

Hi, @nunogt, and welcome to our Netlify community site. :slight_smile:

It appears the name server (NS) records were added instead of changed. The WHOIS records shows AWS name servers:

$ whois | grep -i "name server"
   Name Server: NS-1085.AWSDNS-07.ORG
   Name Server: NS-155.AWSDNS-19.COM
   Name Server: NS-1558.AWSDNS-02.CO.UK
   Name Server: NS-873.AWSDNS-45.NET
Name Server:
Name Server:
Name Server:
Name Server:

However, a traced DNS lookup shows those name server respond with the Netlify DNS name servers but that our name servers are not actually used:

$ dig NS  +trace | tail -n 18
;; Received 1175 bytes from in 74 ms	172800	IN	NS	172800	IN	NS	172800	IN	NS	172800	IN	NS 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM 86400 IN RRSIG NSEC3 8 2 86400 20200302054943 20200224043943 56311 com. G8dklsF4RlT6p0d3FsjNfd8sVdOGTdaojV5L2BjYh2nyj0D3+wvU2016 MuhRg1xzoALC/mSmjDFst2JwJlBarXPL59349jP1p3jZ4Ma4/cqxGS3A 8GbOedcGy+iiSqNIP9c11JmG54JmRzsqAuTZDuTXJCriFh64u1uC9eFw KBpgJ7AYdpZQ4R6SO0h7SrRdhpmeAf0uZfDOLsWP6P8eaw== 86400 IN NSEC3 1 1 0 - V1VKKOMK6PSRVRE4PG6TSP4A42HSMBAN  NS DS RRSIG 86400 IN RRSIG NSEC3 8 2 86400 20200229054425 20200222043425 56311 com. uA1wRgeVobjRx88B1m4eI48qyC/vJa+nXg157mWJfJpkWAellS+ojIb3 /j4KGh+ywTHMvNSMI5imAy7m41s1fQY30HZ5N5qdwPZI/sHS4+7Lh6VP Od47K74ALDdGXF6lK4YnmmrtLKxfNFI/yHP8XqRPRwUX5/COy0kuxirq BghBnFIB0aCwGS0kkmMQuGVVnwsTUIpHsCSwuH/a+9A4sw==
;; Received 746 bytes from in 12 ms	300	IN	NS	300	IN	NS	300	IN	NS	300	IN	NS
;; Received 133 bytes from in 17 ms

The important detail above is that while through are returned as answers they are not the name servers used. The name server is answering the request above at the end.

I believe the instructions for changing the name servers at Route 53 can be found here:

If there are other questions or concerns, please let us know.

Thanks @luke that was really helpful, I missed that important detail, which I’ve since rectified. Thanks for the help, all looking good now.