[Support Guide] Why do DNS / SSL changes take up to 48 hours to propagate? (TTL)

How do time to live (TTL) values affect changes to DNS records?

People often ask why the changes to DNS (Domain Name System) records are not taking effect. The answer to this often involves a core mechanism of how DNS functions - the “time to live” (TTL) values for the DNS records themselves.

This topic is here to answer those questions! :+1:

You might make a DNS record change, double check that it is working for you, but Netlify or Google’s DNS still shows the previous DNS record. Why don’t Netlify, Google, or someone else on the internet see what you see?

The answer is almost always that the previous records are cached (stored temporarily) because of the TTL values in the DNS records themselves.

In most cases, all you can do is wait for the previous records to expire. There is very little that can be done besides waiting. However, if you know about this in advance, you can avoid the delay!

So how do we deal with or prevent these delays? The best way is to be aware of the TTL and reduce it in advance of a change. We have a different community “common issue” topic about this here:

If you want to learn more about TTLs values and DNS record caching, please continue reading.

What is a TTL value?

Let’s take an example, using our own domain netlify.com. We can use the command line tool dig for nearly all of my DNS related troubleshooting. It can be installed on most operating systems (including Windows). Here is an example of using dig to find the name server (NS records) for netlify.com:

$ dig netlify.com NS  +noall +answer

; <<>> DiG 9.10.6 <<>> netlify.com NS +noall +answer
;; global options: +cmd
netlify.com.		3600	IN	NS	dns1.p04.nsone.net.
netlify.com.		3600	IN	NS	dns2.p04.nsone.net.
netlify.com.		3600	IN	NS	dns3.p04.nsone.net.
netlify.com.		3600	IN	NS	dns4.p04.nsone.net.
netlify.com.		3600	IN	NS	ns01.netlifydns.com.
netlify.com.		3600	IN	NS	ns02.netlifydns.com.
netlify.com.		3600	IN	NS	ns03.netlifydns.com.
netlify.com.		3600	IN	NS	ns04.netlifydns.com.

The second field is the TTL value. The TTL values for all records above are 3600. So, what does this value do?

How does the TTL value operate?

DNS is both recursive and distributed. Each domain name has an authoritative DNS server or servers. Other DNS servers query the authoritative servers and cache the record for as long as the TTL value (a time in seconds) indicates to cache them.

This caching helps to reduces load on the authoritative servers and to make responses faster by having the local DNS server skip lookups for records it has already requested and cached.

An example

For netlify.com, the authoritative DNS servers are the ones listed above.

Your internet service provider (ISP) provides you with a DNS server. It is likely that many other people using your ISP also visit Netlify’s site. When your ISP looks up a DNS record it creates work for the authoritative name servers it queries.

To reduce that load on the authoritative servers, other name servers (like the ones at your ISP) are both allowed and required to cache DNS records for a number of seconds - that number being the TTL value in the record itself.

The process works like this:

  1. A user’s computer at an ISP (let’s call them ISP A) makes a DNS lookup for the Netlify NS records above. We’ll call this person’s computer “system #1”.
  2. The local DNS server used by all the users at the ISP A makes a DNS lookup and receives the records above.
  3. The DNS server at the ISP returns those records to the system that requested them - system #1.
  4. A second user with a different computer (we’ll call it system #2) but the same ISP also requests these same records.
  5. The DNS server will see those records have recently been requested and that locally cached copies of the records are available. Instead of asking for the same records again, the ISP A’s DNS server will return the cached records.

Why is the record cached? To reduce the load on the authoritative server and internet traffic in general.
If the DNS record is in the cache, the query never leaves the ISP’s data center. Also, if the authoritative server goes offline the cached records will mean people can still visit that domain until the TTL expires. This caching is part of how internet networking is designed.

How does this affect DNS record changes?

The TTL will tell the ISP’s DNS server to not request the record again and use the cached record from the first query until the TTL expires.

This means that if you change the record on the authoritative server, the downstream servers won’t even try to check those records until the previous records have expired.

If we were to change our name servers for netlify.com it could take 3600 seconds (1 hour) for the records to change when people at ISP A request the servers. (There are workarounds to avoid these delays and there is more about this in the common issue linked to above.)

If we change the record on our authoritative server, the ISP A server won’t see it until the cached record expires.

Now what if the the TTL value is 86400? (This TTL value of 86400 is a requirement for NS records at some top-level domains - for example domains ending in .is.) You can see more about that in this topic.

If someone makes a change to the NS records at their domain registrar for a .is domain, it can take 86400 seconds (which is 24 hours) for the records to update for everyone else using the internet.

Summary

The key point here is that changes to DNS records can take time to take effect on the internet. You can update your DNS records but that doesn’t mean that everyone on the internet will see it immediately.
These changes can sometimes take 24 hours (or more!!!) to take effect. This depends on the TTL value in the previous - not the new record.

Google offers a tool to expire records from their public DNS servers, however, that only helps for people using those servers. If people use the DNS servers for their ISP, the changes on the Google DNS won’t affect them.

The best solution is the one at the top of this topic (reducing the TTL in advance). Preparation is the surest way to avoid TTL issues when changing records.

If there are other questions about TTLs, DNS, and how they relate to hosting sites at Netlify, please ask them below. We’ll be happy to answer!

I can't remove the netlify records in my DNS zone
DNS_PROBE_FINISHED_NXDOMAIN - server IP address could not be found
SSL/TLS certificate error due to webpage appearing not be served by Netlify
SSL Stuck on Waiting on DNS propagation
Need help for ssl
Lets Encrypt cert on custom domain does not update from *.netlify.com
Let’s Encrypt failing
Unsecure Connection From WWW Netlify App
Certificate expires soon msg
[Solved] Custom Domain SSL Not Securex
Not able to connect to route 53 domain
DNS propagation and different index based on CNAME
Let's Encrypt cert fails to provision
My Site on custom domain stopped working suddenly
No ssl certificate for my custom domain
Use a domain and make a subdomain to connect to another server
Certificate not valid on https://mywebsite.com but ok on www.mywebsite.com
DNS propagated, still unable to provision SSL certificate
Custom domain not transferred correctly
New DNS records not being propagated (TXT & SPF)
Custom domain propagation
Root domain configuration issue
Website not staying online
Invalid SSL Cert; security certificate is from *.netlify.com
Dns record error #dns
Custom Domain Name Activation
Unable to get a Let's Encrypt cert because DNS verification is failing
Auto SSL not working on godaddy custom domain
Pointing a domain from wix to netlify - security certificates not propagating
Certificate request
DNS not working and No SSL certificates
SSL certificate error
Google Domain through Netlify DNS => MX records propogated but email still not receiving
SSL DNS Trouble
Certificate is taking more than 24 hours
Bought custom domain, doesn't seem to work though
"404 Not found" after connecting custom domain
[SOLVED] Freenom Custom Domain DNS Propagation
Inquiry: Why is my custom domain going up and down with periodic "page not found" error?
Ssl error bad cert domain
Waiting For DNS setup
SSL provisioning stuck on "Currently provisioning your Let’s Encrypt certificate"
Website took too long to respond (ERR_CONNECTION_TIMED_OUT)
Please help me with my issue
SSL Privacy Error after disabling CloudFlare
Http issue not secured however I renew the certificate

I’m setting up some DNS stuff and decided to use netlifys DNS offering. So obviously I have to port over all the DNS records from previous service. My question is when it comes to google MX, TXT , SPF records or CNAMES for their services is the period at the end important? Do I leave it on of remove it when entering data into netlify DNS records?

e.g. 1 aspmx.l.google.com. or 1 aspmx.l.google.com

Similarly do the TXT records or SPF records include or omit the double quotes?

e.g is it “v=spf1 include:_spf.google.com ~all” or v=spf1 include:_spf.google.com ~all

Does this matter, will it break my DNS!!
Dave

Quick answers to your questions:

  1. you do not need the trailing dot in our settings. It varies by service, but we don’t need it.
  2. you do not need the quotes on SPF records - we’ll quote for you automagically.

if the trailing dots are included will it break DNS?

tl;dr - You don’t need to include it. :slight_smile:

@DaveHarrison, behind the scenes, all top-level domains have an ending dot. However, almost no software (other than DNS name servers themselves) ever include it.

So, technically speaking, example.com is in reality example.com. with a dot at the end.

However, practically speaking, almost no user interface will ever show those ending dots (not even a web interface for a DNS zone configuration).

The dots appear in the DNS responses in the topic above only because they are in the responses from the DNS server (which, as mentioned, is one of the rare types of software that includes or displays them).

With Netlify DNS, regardless of if you include the trailing dot or not, we’ll “do the right thing”. It will work with or without correctly. (By this I mean that our DNS servers always includes the trailing dot it because the DNS standard says to do so.)

1 Like