1

I currently have 2 DNS A records for main domain pointing to the different IP addresses. This is creating problems when I try to use certbot to generate Let's Encrypt's SSL certificate for my domain, because it seems that when doing http-01 validation to prove that I own the domain, it takes just the first host that is resolved and tries to do the validation agains it, but as this first isn't currently online, it cannot validate it.

I decided that I want to remove the invalid DNS record from my nameservers. I wonder if standard propagation time applies as when adding a new record. And does DNS servers actually remove the entries right away?

user3362334
  • 111
  • 4
  • This can only be partially answered. AFAIK, the second A record will "hang around" until the TTL associated with it has run out. (Each record can have its own TTL). The only ones who can advise if the DNS servers remove the entries right away is your DNS provider. If you are using Bind and do a reload, then it will happen on the reload. If you are using prodns or mydns, generally within a few seconds of the updated record. Make sure the SOA for the zone is updated. – davidgo Mar 10 '20 at 10:31
  • @davidgo Since DNSSEC, TTLs must be the same in a recordset, they can not be different from one record to another (for same name and type). – Patrick Mevzek Mar 13 '20 at 04:35
  • "it takes just the first host that is resolved" there is no order in the DNS, as it deals only with sets. Many resolvers will in fact randomize the output order, and change it at each query. – Patrick Mevzek Mar 13 '20 at 04:36

2 Answers2

1

I wonder if standard propagation time applies as when adding a new record

the standard propagation time is the TTL(Time To Alive) that indicates how long a record is cached by a DNS resolver(client). If you set the TTL to 300 so your change will be live until 300 seconds from last cached by DNS resolver.

does DNS servers actually remove the entries right away?

Yes, the DNS server actually removes the entries away. if DNS resolver never connects to your server, the client will get the latest DNS records/entries because your entries are never be cached.

Note: in some bad DNS servers, the update can be slow. But it's happened if the DNS server is not good or have too many records.

Muhammad Dyas Yaskur
  • 497
  • 2
  • 19
0

You have to remove unused A record from DNS. It will take some time to propagate. Run the below command from terminal to check propagation

   dig yourdomain.com A
Vinoth Rc
  • 66
  • 5
  • 1
    [DNS doesn't propagate](https://serverfault.com/a/153723/274176), but gets cached on the recursive DNS servers. This command doesn't tell anything about the caching situation on any remote location, just the cache on the recursive server you are using. This isn't much helpful considering the whole situation OP has. – Esa Jokinen Mar 10 '20 at 15:13
  • What's your domain name? – Vinoth Rc Mar 10 '20 at 15:22