[Support Guide] Why do DNS / SSL changes take up to 48 hours to propagate? (TTL)

Last reviewed by Netlify Support on 13 Sep 2021

How do time to live (TTL) values affect changes to DNS records?

People often ask why the changes to DNS (Domain Name System) records are not taking effect. The answer to this often involves a core mechanism of how DNS functions - the “time to live” (TTL) values for the DNS records themselves.

This topic is here to answer those questions! :+1:!

If you’d prefer a TL:DR; in the form of a video, check this out:

(Link to minimal downtime guide referenced in the video)

Otherwise, please read on :slight_smile:.

You might make a DNS record change, double check that it is working for you, but Netlify or Google’s DNS still shows the previous DNS record. Why don’t Netlify, Google, or someone else on the internet see what you see?

The answer is almost always that the previous records and their values are cached (stored temporarily) because of the TTL values in the DNS records themselves.

In most cases, all you can do is wait for the previous records to expire. There is very little that can be done besides waiting. However, if you know about this in advance, you can avoid the delay!

So how do we deal with or prevent these delays? The best way is to be aware of the TTL and reduce it in advance of a change. We have a different community Support Guide about this here:

If you want to learn more about TTLs values and DNS record caching, please continue reading.

What is a TTL value?

Let’s take an example, using our own domain netlify.com. We can use the command line tool dig for nearly all DNS related troubleshooting. It can be installed on most operating systems (including Windows). Here is an example of using dig to find the name server (NS records) for netlify.com:

$ dig netlify.com NS  +noall +answer

; <<>> DiG 9.10.6 <<>> netlify.com NS +noall +answer
;; global options: +cmd
netlify.com.		3600	IN	NS	dns1.p04.nsone.net.
netlify.com.		3600	IN	NS	dns2.p04.nsone.net.
netlify.com.		3600	IN	NS	dns3.p04.nsone.net.
netlify.com.		3600	IN	NS	dns4.p04.nsone.net.
netlify.com.		3600	IN	NS	ns01.netlifydns.com.
netlify.com.		3600	IN	NS	ns02.netlifydns.com.
netlify.com.		3600	IN	NS	ns03.netlifydns.com.
netlify.com.		3600	IN	NS	ns04.netlifydns.com.

The second field is the TTL value. The TTL values for all records above are 3600. So, what does this value do?

How does the TTL value operate?

DNS is both recursive and distributed. Each domain name has an authoritative DNS server or servers. Other DNS servers query the authoritative servers and cache the record for as long as the TTL value (a time in seconds) indicates to cache them.

This caching helps to reduces load on the authoritative servers and to make responses faster by having the local DNS server skip lookups for records it has already requested and cached.

An example

For netlify.com, the authoritative DNS servers are the ones listed above.

Your internet service provider (ISP) provides you with a DNS server. It is likely that many other people using your ISP also visit Netlify’s site. When your ISP looks up a DNS record it creates work for the authoritative name servers it queries.

To reduce that load on the authoritative servers, other name servers (like the ones at your ISP) are both allowed and recommended to cache DNS records for a number of seconds - that number being the TTL value in the record itself.

The process works like this:

  1. A user’s computer at an ISP (let’s call them ISP A) makes a DNS lookup for the Netlify NS records above. We’ll call this person’s computer “system #1”.
  2. The local DNS server used by all the users at the ISP A makes a DNS lookup and receives the records above.
  3. The DNS server at the ISP returns those records to the system that requested them - system #1.
  4. A second user with a different computer (we’ll call it system #2) but the same ISP also requests these same records.
  5. The DNS server will see those records have recently been requested and that locally cached copies of the records are available. Instead of asking for the same records again, the ISP A’s DNS server will return the cached records.

Why is the record cached? To reduce the load on the authoritative server and internet traffic in general.
If the DNS record is in the cache, the query never leaves the ISP’s data center. Also, if the authoritative server goes offline the cached records will mean people can still visit that domain until the TTL expires. This caching is part of how internet networking is designed.

How does this affect DNS record changes?

The TTL will tell your ISP’s DNS server to not request the record again and use the cached record from the first query until the TTL expires.

This means that if you change the record on the authoritative server, the downstream servers won’t even try to check those records until the previous records have expired.

If we were to change our name servers for netlify.com it could take 3600 seconds (1 hour) for the records to change when people at ISP A request the servers. (There are workarounds to avoid these delays and there is more about this in the common issue linked to above.)

If we change the record on our authoritative server, the ISP A server won’t see it until the cached record expires.

Now what if the the TTL value is 86400? (This TTL value of 86400 is a requirement for NS records at some top-level domains - for example domains ending in .is.) You can see more about that in this topic.

If someone makes a change to the NS records at their domain registrar for a .is domain, it can take 86400 seconds (which is 24 hours) for the records to update for everyone else using the internet.


The key point here is that changes to DNS records can take time to take effect on the internet. You can update your DNS records but that doesn’t mean that everyone on the internet will see it immediately.
These changes can sometimes take 24 hours (or more!!!) to take effect. This depends on the TTL value in the previous - not the new record.

Google offers a tool to expire records from their public DNS servers, however, that only helps for people using those servers. If people use the DNS servers for their ISP, the changes on the Google DNS won’t affect them.

The best solution is the one at the top of this topic - reduce the TTL in advance. Preparation is the surest way to avoid TTL issues when changing records.

If there are other questions about TTLs, DNS, and how they relate to hosting sites at Netlify, please ask them below. We’ll be happy to answer!

SSL/TLS certificate error due to webpage appearing not be served by Netlify
SSL Stuck on Waiting on DNS propagation
I can't remove the netlify records in my DNS zone
[Support Guide] DNS Quick Start - How to set up DNS
I get DNS configuration error even after 24 hours. Need help
More name servers on a custom domain
"404 Not found" after connecting custom domain
Extremely long upload times up to 12h
SSL DNS Trouble
Custom domain and Redirect not working
Google Domain through Netlify DNS => MX records propogated but email still not receiving
SSL certificate error
DNS not working and No SSL certificates
Certificate request
Pointing a domain from wix to netlify - security certificates not propagating
Dnsc record not removed
Unable to get a Let's Encrypt cert because DNS verification is failing
Custom Domain Name Activation
Dns record error #dns
Invalid SSL Cert; security certificate is from *.netlify.com
Root domain configuration issue
Custom domain propagation
I'm having issues deploying a branch to a subdomain
New DNS records not being propagated (TXT & SPF)
DNS propagated, still unable to provision SSL certificate
DNS for custom domain: live site down, email working fine 🤔
Certificate not valid on https://mywebsite.com but ok on www.mywebsite.com
No ssl certificate for my custom domain
[Support Guide] Troubleshooting SSL certificate errors
Let's Encrypt cert fails to provision
Not able to connect to route 53 domain
DNS propagation and different index based on CNAME
Unsecure Connection From WWW Netlify App
Lets Encrypt cert on custom domain does not update from *.netlify.com
SSL Privacy Error after disabling CloudFlare
Website took too long to respond (ERR_CONNECTION_TIMED_OUT)
SSL provisioning stuck on "Currently provisioning your Let’s Encrypt certificate"
Waiting For DNS setup
Ssl error bad cert domain
Inquiry: Why is my custom domain going up and down with periodic "page not found" error?
Certificate is taking more than 24 hours
Connection refused for one DNS record but not the other
I really need help renewing my SSL certificate
Website not accessible through some ISP/Internet Connections
Privacy error with custom domain
Custom domain bought in Netlify's platform don't work
SSL issue on my site
Custom Domain Name unexpectedly closed connection
Custom domain not directing to site
Subdomain in google started to fail with "Your connection is not private" error after we migrated Apex and WWW to netlify
Settings up Custom Domain still showing 403 Forbidden
Custom domain not getting redirected
After changing the DNS settings still getting redirected to old hosting
Ssl error bad cert domain
Deploy from Github Successful, but it doesn't update the changes on my site
Https certificate
Netlify DNS Issues with 3rd Party Domain, Duplicate A Records
Removing/correcting existing SOA record to allow Let's Encrypt to generate SSL CA
Website Not Accessible after adding custom domain : DNS_PROBE_FINISHED_NXDOMAIN
DNS Propagation/MX records
[Support Guide] Compiled resources for custom domains on Netlify and DNS settings -- start here!
Even if I add custom domain still can't reach site
DNS verification failed: site appears to be served by Netlify
[Support Guide] How do I migrate a domain to Netlify DNS with zero downtime?
Github pages 404 error on netlify page deployment
Domain name pointing to 2 IP addresses
Identity-signup function not being triggered when verification link used - 422
Site not showing under custom domain after new deployment
The content of the page cannot be displayed
Nameservers updated but A record still points to old server
Custom google domain with DNS does not work
DNS Name server issue
DNS settings issue with IP address
Setup email tracking subdomain
When tring to open website getting this error certification is not valid
I replaced dns records in my domain provider to Netlify, now email is not working
Mydomain.me doesn't appear to be served by Netlify
Remove application from netlify servers
SPF record not working
DNS Propagation Query
404 There isn't a GitHub Pages site here
GoDaddy Domain on Netlify - Site Can't be Reached
DNS changed but getting ERR_NAME_NOT_RESOLVED
[Support Guide] How can I manage my DNS with Netlify if I used another vendor to purchase my domain?
[Support Guide] Can I host my site on Netlify but keep my DNS at my domain registrar?
My dns are not resolving properly
Setting subdomain in namecheap to netlify
Browser cache not clearing for Safari on custom domain
Custom domain not transferred correctly
[Support Guide] How can I receive emails on my domain?
Live Server not working properly, but netlify.app is working properly
[Support Guide] Minimal downtime for a live site DNS migration
[Support Guide] I’ve deployed my site but I still see "Page not found”
Provisioning SSL is taking time
Let’s Encrypt failing
My site has HTTPS enabled, but sometimes the non-secure site is loaded
Netlify DNS verified but can't access site
Bought custom domain, doesn't seem to work though

I’m setting up some DNS stuff and decided to use netlifys DNS offering. So obviously I have to port over all the DNS records from previous service. My question is when it comes to google MX, TXT , SPF records or CNAMES for their services is the period at the end important? Do I leave it on of remove it when entering data into netlify DNS records?

e.g. 1 aspmx.l.google.com. or 1 aspmx.l.google.com

Similarly do the TXT records or SPF records include or omit the double quotes?

e.g is it “v=spf1 include:_spf.google.com ~all” or v=spf1 include:_spf.google.com ~all

Does this matter, will it break my DNS!!

Quick answers to your questions:

  1. you do not need the trailing dot in our settings. It varies by service, but we don’t need it.
  2. you do not need the quotes on SPF records - we’ll quote for you automagically.

if the trailing dots are included will it break DNS?

tl;dr - You don’t need to include it. :slight_smile:

@DaveHarrison, behind the scenes, all top-level domains have an ending dot. However, almost no software (other than DNS name servers themselves) ever include it.

So, technically speaking, example.com is in reality example.com. with a dot at the end.

However, practically speaking, almost no user interface will ever show those ending dots (not even a web interface for a DNS zone configuration).

The dots appear in the DNS responses in the topic above only because they are in the responses from the DNS server (which, as mentioned, is one of the rare types of software that includes or displays them).

With Netlify DNS, regardless of if you include the trailing dot or not, we’ll “do the right thing”. It will work with or without correctly. (By this I mean that our DNS servers always includes the trailing dot it because the DNS standard says to do so.)

1 Like

Completely new to all of this, but it makes sense. I’m still confused, however. Why it’s taking 24hrs already to point the name servers from namecheap to netlify, when I don’t have a site yet. There’s no need to wait for the cache to expire.

In short, all ISPs and providers between us, NS1, your registrar, Let’s Encrypt, and you, need to be aware of the changes. This is the process which can take time and, regrettably, we’re at the mercy of these intermediaries to determine how quick it happens!

1 Like

Thanks Pie! So all I need to do is

  1. go to your domain registrar and change your domain’s nameservers to the following custom host names assigned to your DNS zone. (which I’ve done)
  2. Be patient :slight_smile:

Exactly that! Usually within a couple of hours, the DNS/SSL sections within the Netlify UI will suddenly ‘just work’ :tada:

Sorry, me again
what does this mean

have the DNS changes taken place
but in my Netlify UI is still see this

Hi, @ck1ldn. You are seeing a “start of authority” or SOA record for the DNS zone. DNS servers send SOA records when they don’t have an answer for a query but do have a DNS zone configured for the apex domain in question.

On other words, the DNS lookup couldn’t find the A record so it sent the SOA for the zone instead.

I’ve looked at the DNS zone for this custom domain at Netlify and there are no A records (or NETLIFY type records) configured for this zone. NETLIFY type DNS records are special “alias” records our service uses and you can find more information about them in this support guide.

If you add an apex domain to a site (or some subdomain of that apex), Netlify DNS will automatically create the NETLIFY type records needed. Because this hasn’t been done for any sites, there are no NETLIFY records.

I also don’t see any sites on the account where this domain is configured. So, step one will be to deploy your site. Once the site is deployed, then you can add the custom domain to the site using these instructions:


If there are other questions about this, please let us know.

1 Like

THANK YOU SO MUCH! I know where I went wrong, well after you told me :slight_smile: and what I didn’t understand :slight_smile: All up and running and site is live. Just need to tinker around with it.


Hi, @ck1ldn. Thanks for letting us know it is working now and thanks as well for letting us know if our suggestions were helpful or not. (The feedback helps!) :smiley: