DNS Propagation Not Working? A Step-by-Step Checklist
When a DNS update appears to be stuck, waiting longer is not always the answer. If authoritative servers disagree, the delegation is wrong or DNSSEC validation fails, the new record may never become consistently visible.
1. Confirm the authoritative nameservers
Start at the delegation. The following command shows the nameservers advertised for the domain without relying on your normal resolver cache.
dig +trace example.com NS
dig example.com NS +short2. Query every authoritative server directly
Replace the sample nameservers with those returned for your domain. Every authoritative server should return the intended record and normally the same SOA serial.
dig @ns1.example.net example.com A +norecurse
dig @ns2.example.net example.com A +norecurse
dig @ns1.example.net example.com SOA +short
dig @ns2.example.net example.com SOA +short3. Compare recursive resolvers
If authoritative answers are correct but recursive answers differ, the remaining inconsistency is usually caching. Compare the returned value and TTL.
dig @1.1.1.1 example.com A
dig @8.8.8.8 example.com A
dig @9.9.9.9 example.com A4. Check DNSSEC when SERVFAIL appears
A broken DS record or expired DNSSEC signature can cause validating resolvers to return SERVFAIL while non-validating paths appear normal.
dig example.com A +dnssec
dig example.com DS +short
dig +trace example.com ACommon causes
Record changed in the wrong DNS provider
The active delegation may point somewhere other than the dashboard you edited.
Only one authoritative server updated
Resolvers can receive old or new data depending on which server answers.
An old DS record remains at the registrar
Validating resolvers may reject the zone after DNSSEC was changed or disabled.
The queried name is different
Check root domains, www hosts and service-specific names separately.
Negative cache is still active
A recently created record may remain absent until the cached NXDOMAIN TTL expires.