DNS verification failed - doesn't appear to be served by Netlify

Hi Team,

I am trying to configure SSL cert for rennoco.com

I can see in the network tab, site is served through Netlify. I have also updated name servers in Go Daddy (where this was initially managed)

When I am trying to issue an SSL cert, I get DNS verification failed. Upon retrying DNS verification, I get “doesn’t appear to be served by Netlify”

Can you please point me in the right direction. Thanks in advance.

@rajesh.kondapalli70 You might try re-entering your DNS records at GoDaddy. I’m not seeing any DNS records for this domain name.

@gregraven, I have configured the nameservers provided by Netlify in the GoDaddy, For the DNS records it shows below message.
Message : We can’t display your DNS information because your nameservers aren’t managed by us.

But, I have configured all the DNS records in Netlify,

Here’s what I did. I went to GoDaddy and changed the nameservers to the ones provided by netlify.

In my Netlify DNS panel, I have configured all the DNS records from GoDaddy. Once, external nameservers are added in GoDaddy, option to add DNS records are not enabled.

This is what I get when I execute dig command. I cann see Netlify’s nameservers.

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> rennoco.com -t NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54128
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rennoco.com.                   IN      NS

;; ANSWER SECTION:
rennoco.com.            3600    IN      NS      dns3.p02.nsone.net.
rennoco.com.            3600    IN      NS      dns2.p02.nsone.net.
rennoco.com.            3600    IN      NS      dns4.p02.nsone.net.
rennoco.com.            3600    IN      NS      dns1.p02.nsone.net.

;; Query time: 16 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Aug 10 22:45:51 IST 2020
;; MSG SIZE  rcvd: 129

@rajesh.kondapalli70 OK, I can see your DNS entries on some DNS servers, but it’s not propagating worth a darn. Two of the six top-level DNS servers I polled show your DNS records, but the other four are blank.

Hi, @rajesh.kondapalli70. The issue is that this domain has DNSSEC enabled at the registrar but Netlify DNS doesn’t support DNSSEC.

You can see the errors here:

https://dnssec-analyzer.verisignlabs.com/rennoco.com

The solution for this is to either:

  • disable DNSSEC at the registrar for this domain name

or:

  • stop using Netlify DNS for this domain

If you stop using Netlify DNS, you can still use the external DNS instructions to connect the custom domain to a site at Netlify.

​Please let us know if there are any other questions about this.

Hey @luke, Thanks for reaching out.

I have reconfigured the DNS back to godaddy as you suggested.
I have and A record pointed to netlify’s load balancer and CNAME to www.rennoco.com.

I can still see this issue while I am trying to get certificate.

This is what I get when I run dig trace

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> rennoco.com +trace
;; global options: +cmd
.                       83653   IN      NS      m.root-servers.net.
.                       83653   IN      NS      a.root-servers.net.
.                       83653   IN      NS      g.root-servers.net.
.                       83653   IN      NS      e.root-servers.net.
.                       83653   IN      NS      l.root-servers.net.
.                       83653   IN      NS      f.root-servers.net.
.                       83653   IN      NS      d.root-servers.net.
.                       83653   IN      NS      c.root-servers.net.
.                       83653   IN      NS      i.root-servers.net.
.                       83653   IN      NS      b.root-servers.net.
.                       83653   IN      NS      k.root-servers.net.
.                       83653   IN      NS      j.root-servers.net.
.                       83653   IN      NS      h.root-servers.net.
;; Received 512 bytes from 192.168.1.1#53(192.168.1.1) in 6 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20200825150000 20200812140000 46594 . 1Y0V7nWy/PWrtq1VMQ4RmuwFLsLM4473h9tGhI8ZwycAYdU2lgVv8U0u 49BNfVBBOIuND7t1C7Db1V6baAgMNW5+Po1QJVZh0nPr2RS90P5zqNq3 d+lFpaAM6OqdgMZjx3WZlwHujgXXZF+n8WsEW1SORtid6klDvLHfsTwa eaciZuv/SEeI8fsmuHyxwHMqOpLvJzTcfTJmMJGHjZO4g56OIsTNmVI/ VugDh027PRU6NywG6BNs+nF4rbrCNBvFBkeWChn5zniTbWgnhe4bJGVO V0ReLinghIL3WXE61f54PKPIzJXqDUtlk0p/W0rf/abJtep7+BtrI/pk u1IZzw==
;; Received 1171 bytes from 192.5.5.241#53(f.root-servers.net) in 2 ms

rennoco.com.            172800  IN      NS      ns73.domaincontrol.com.
rennoco.com.            172800  IN      NS      ns74.domaincontrol.com.
rennoco.com.            86400   IN      DS      12353 13 2 3AAEACAB40CECC84E84E02A740D9B5B44B97263FF0D0806283046BE2 D80B3636
rennoco.com.            86400   IN      RRSIG   DS 8 2 86400 20200818051544 20200811040544 24966 com. ZzfoNaGceTgv8n8bkH5+n9t2DkMrtyB2rea2u9IHSVUXy33fV4QjUGXi Gm2jPdxXDpyM1vs8/eEOL+Od+DE5sYNL4Rrgh9m4gQMfyNohBJIo6H4p Rta5mWl9O1TGCMi8WxfihwAAS5HC48ifnncB3Axgdj6zHxqXoUI674cy 8iI/EomoVwVISiHlgjD84gAy+nvoMymHE05s+QlCVeDmpg==
;; Received 423 bytes from 192.43.172.30#53(i.gtld-servers.net) in 142 ms

rennoco.com.            600     IN      A       104.198.14.52
rennoco.com.            3600    IN      NS      ns73.domaincontrol.com.
rennoco.com.            3600    IN      NS      ns74.domaincontrol.com.
;; Received 108 bytes from 173.201.74.47#53(ns74.domaincontrol.com) in 214 ms

@rajesh.kondapalli70 Propagation is the same as before – only two out of six top-level resolvers are returning your DNS entries. I can see that you switched away from Netlify, but there is no A record, no NS records, etc.

To follow up on what Greg was seeing, I think there is a more fundamental problem here, in that you have some DNSSEC problems as shown in this 3rd party tool: https://dnsviz.net/d/rennoco.com/dnssec/ (all of the red errors are problems you’ll want to resolve - probably will all be covered by one operation, as described below.)

That will prevent many lookups from working well and should be resolved with your DNS host - I don’t know how they resolve it, but I am sure their tech support will understand and be able to help with the request. We don’t support DNSSEC in our DNS hosting at present, so this would be something you had configured at Godaddy that also probably blocked your success when trying to use our DNS service.