Www. subdomain alone is secure? Do I need the DNS zone?

I have a site with a custom domain (registered with an external provider) and listed below.

Netlify site name: rodac-gatsby-site.netlify.app
Custom Domain: www.rodacengineering.com (primary domain)
rodacengineering.com (redirects to primary domain)
The primary domain with the www. has no security issues but the domain rodacengineering.com without the www. gives a security certificate error.

I have setup netlify DNS for the site but it shows Netlify DNS with green labels for one moment and the error ‘check DNS configuration’ on another moment. This occurs for the domain without www. and varies across browsers.


Screenshots were taken on the same day.
I have added A records pointing to the IP address in the docs (104.198.14.52) and a CNAME pointing to the netlify subdomain. I have also added the netlify nameservers in setting up the netlify DNS.
Other nameservers have also been configured for email and so I cannot use only the nameservers from netlify DNS. One post suggested deleting the DNS zone. Should I remove the nameservers or keep them there? The let’s encrypt certificate also gives an error when I try to renew


What is the best option I can take now?

So to be clear, you do not have the Netlify nameservers set up because of your email?

If this is the case then personally I would prioritize the Netlify nameservers and connect those to the 3rd party domain provider. This would only be an option for you though if your email provider allowed you to point A records and/or CNAME records through the Netlify Dashboard.

If this sounds like it may work for you then give it a try since this conflict may be the reason why rodacengineering.com is not working.

Not exactly Kyle. I added the nameservers days ago the site was working fine then. But now the site has security issues on the rodacengineering.com domain without the www. I want to know if I should remove the netlify nameservers or delete the DNS zone to fix the issues or take another approach. Any help would be appreciated.

@RDjarbeng You’re probably seeing this because you have an incorrect entry in your DNS settings.

|======================= dig CNAME(s) for =======================
| ------------------ www.rodacengineering.com ------------------
| ---------------- will be blank for Netlify DNS ----------------
rodacengineering.com.
|================================================================

Your CNAME should point to your Netlify subdomain: rodac-gatsby-site.netlify.app

As a result, Netlify is not serving your apex domain:

|===================== curl check for server ====================
| ---------------------- should be Netlify ----------------------
| -------------------- rodacengineering.com --------------------
< Server: Apache

| ------------------ www.rodacengineering.com ------------------
< Server: Netlify
|================================================================

@gregraven I have already added the CNAME
Records in the DNS include:

Type: A
Name: @
Value: 104.19814.52

Type: CNAME
Name: www
Value: rodac-gatsby-site.netlify.app

This was added a few days ago along with the netlify nameservers.

At the time of writing this the https://www.rodacengineering.com/ now shows a not secure error and the https://www.rodacengineering.com/ shows a 403 forbidden error on Google Chrome.


Like I said the DNS zone keeps changing.

Could there be a potential conflict? Thanks in advance for the help.

@RDjarbeng If you have made that CNAME change, it’s not coming through. Your DNS still shows the incorrect CNAME entry …

|======================= dig CNAME(s) for =======================
| ------------------ www.rodacengineering.com ------------------
| ---------------- will be blank for Netlify DNS ----------------
rodacengineering.com.
|================================================================

… and you have an inactive DNS zone.

|================== check for inactive DNS zone =================
| --------------- last line should show nsone.net ---------------
;; Received 738 bytes from 192.41.162.30#53(l.gtld-servers.net) in 84 ms
rodacengineering.com.	3600	IN	NS	ns59.domaincontrol.com.
rodacengineering.com.	3600	IN	NS	ns60.domaincontrol.com.
;; Received 101 bytes from 97.74.100.31#53(ns59.domaincontrol.com) in 18 ms
|================================================================

Hi, @RDjarbeng. I want to second what @gregraven has already said.

To summarize, I believe the following will resolve the issue:

1. Delete the DNS zone here: https://app.netlify.com/account/dns/rodacengineering.com
2. Delete second A record below (for 160.153.129.38):

rodacengineering.com.	599	IN	A	104.198.14.52
rodacengineering.com.	599	IN	A	160.153.129.38

3. Delete this CNAME record:

www.rodacengineering.com. 10455	IN	CNAME	rodacengineering.com.

4. Replace the deleted CNAME record with:

www.rodacengineering.com. 10800	IN	CNAME	rodac-gatsby-site.netlify.app.

5. After that is complete, you can click the “Renew certificate” button to update the SSL certificate.

If there are other questions or if this doesn’t resolve the issue, please let us know.

I implemented the solution from @luke above and everything seems fine now. I hope it does not change. The certificate took a while but was renewed after a few minutes Thanks Netlify :ok_hand:@gregraven @kylesloper @luke for the support :+1:.

1 Like