# Why does my domain fail to resolve? A domain could fail to resolve for multiple reasons, such as the domain’s name server changes not propagating completely, `DNSSEC` is enabled for the domain, DigitalOcean’s name servers are not configured at your registrar, or other DNS providers are active. ## Name Server Changes Not Completely Propagated The DNS resolution might fail if your DNS changes have not propagated across the internet. It usually takes 24-48 hours for name server changes to update completely across the internet. You can verify if the name server is completely propagated with the [global DNS propagation checker](https://dnschecker.org/). ## Verify DNSSEC Status DigitalOcean name servers do not currently offer support for domains with `DNSSEC` enabled. To ensure `DNSSEC` is disabled for your domain, run the following `dig` command on your domain. For more information about DigitalOcean and `DNSSEC`, read [Does DigitalOcean Support DNSSEC?](https://docs.digitalocean.com/support/does-digitalocean-support-dnssec/index.html.md). ```shell dig your-domain.com +dnssec ``` For example, if you run this command on `dnssec-tools.org`, you see the `RRSIG` record on the last line of the query’s `ANSWER SECTION`, which is the `DNSSEC` signature attached to the record. This denotes that `DNSSEC` is enabled for the domain. With the `RRSIG`, a DNS resolver can determine whether a DNS response is trusted. ```text ; <<>> DiG 9.10.6 <<>> dnssec-tools.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dnssec-tools.org. IN A ;; ANSWER SECTION: dnssec-tools.org. 300 IN A 185.199.111.153 dnssec-tools.org. 300 IN A 185.199.108.153 dnssec-tools.org. 300 IN A 185.199.110.153 dnssec-tools.org. 300 IN A 185.199.109.153 dnssec-tools.org. 300 IN RRSIG A 13 2 300 20240306033514 20240221020514 52833 dnssec-tools.org. a16XkN9DHA4w4A+HdsfudiCIzDStxgq4+k+WUX3ignN4tOUVFJ0MYqaV a7Gt3ks39ysIAI2A39ppVEHj7M6l1Q== ``` If `DNSSEC` is enabled for your domain, disable it at your registrar and then check to see if this solves your resolution issue. ## Verify Domain Registrar Status To check if the registrar has imposed restrictions hindering DNS record updates for the domain, use [`whois`](https://whois.domaintools.com) to check the registrar’s current status. For information about the registrar status, read ICANN’s [EPP status codes](https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en). ## All DigitalOcean Name Servers are not Configured at Your Registrar To propagate DNS records set up in the [DigitalOcean Control Panel](https://cloud.digitalocean.com/), your domain should point to all three DigitalOcean name servers. This means you need to delegate your domain by configuring your domain at your registrar to use DigitalOcean’s name servers instead of the registrar’s name servers. DigitalOcean has three name servers: - ns3.digitalocean.com. - ns1.digitalocean.com. - ns2.digitalocean.com. You can verify if your domain is using these servers by running in your terminal: ```shell dig +short your-domain.com NS ``` You should receive this output if your domain is correctly configured to use DigitalOcean’s name servers: ```shell ns3.digitalocean.com. ns1.digitalocean.com. ns2.digitalocean.com. ``` If you receive different name servers, reference your registrar’s documentation to see how to delegate your domain to use DigitalOcean’s name servers. ## Other DNS Providers are Active If you are using multiple DNS providers, this can cause inconsistent domain behavior. If you configure your domain to use name servers from both your domain’s registrar and DigitalOcean, then this could lead to inconsistent DNS propagation if the records are not synced between the two providers. For example, if you have an A record for `example.com` that points to `203.0.113.65` on DigitalOcean and another A record at GoDaddy that points to `192.0.2.125`, this causes inconsistent behavior as some users are sent to one IP address while others are sent to the other. If you are using multiple DNS providers, but are having issues keeping records synced between the sets of name servers, consider using a single provider. You can do this by updating your domain’s delegation at your registrar to use only one set of name servers from a single provider. ## Related Topics [How do I fix the error "Record is managed by an App on this account, and cannot be deleted"?](https://docs.digitalocean.com/support/how-do-i-fix-the-error-record-is-managed-by-an-app-on-this-account-and-cannot-be-deleted/index.html.md): Use the app’s Settings tab to remove domains associated with App Platform apps. [Why aren't my vanity DNS name servers resolving?](https://docs.digitalocean.com/support/why-arent-my-vanity-dns-name-servers-resolving/index.html.md): If you use vanity or branded DNS nameservers that delegate to DigitalOcean’s nameservers, you must update to new IP addresses. [How do I fix the DNS error "Primary Name Server Not Listed at Parent"?](https://docs.digitalocean.com/support/how-do-i-fix-the-dns-error-primary-name-server-not-listed-at-parent/index.html.md): Update your registrar to use DigitalOcean’s name servers.