4 days ago
My custom domain has been stuck in "Waiting for DNS update" status for over 48 hours, even though both the CNAME and TXT records resolve correctly from public DNS.
Setup:
- Service type: FastAPI (Dockerfile)
- Custom domain: ..com
- Target port: 8000
DNS records configured at my registrar (matching what Railway's "Show DNS records" panel displays):
CNAME → .up.railway.app
TXT _railway-verify. → railway-verify=
Verification from my machine:
$ dig ..com CNAME +short
$ dig TXT _railway-verify...com +short
"railway-verify="
Both values exactly match what Railway's dashboard expects. In the dashboard, the CNAME row shows a green tick, but the TXT row still shows the warning icon and the domain stays in "Waiting for DNS update".
Requests to the custom domain return Railway's edge 404:
{"status":"error","code":404,"message":"Application not found","request_id":""}
The Railway-generated *.up.railway.app URL responds correctly, so the underlying service is healthy — only the custom domain mapping is broken.
I've already tried:
- Removing and re-adding the domain (verification still doesn't complete)
- Confirming there are no conflicting A/URL Forwarding records on the registrar
- Confirming TTL is low (5 min)
Has anyone hit this before? Or is there a way to manually trigger Railway's TXT re-check?
2 Replies
Status changed to Open Railway • 4 days ago
4 days ago
Hey! I've run into this exact headache before. The 404 you're getting is actually totally normal—Railway's edge router won't forward traffic to your port 8000 until the domain is fully verified and the SSL certificate is minted.
Since your local dig commands show the records are propagating perfectly, the issue is that Railway's backend is either stuck in a cached loop or something is silently blocking Let's Encrypt from issuing the certificate.
Here are the most likely culprits and how to fix them, from most to least common:
1. The Ghost State (Force a Sync) Railway's state management sometimes caches a "failed" verification and just sits there. You can force it to wake up:
- The Dummy Domain Trick: Add a completely random subdomain (like
testping.<my-domain>.com) to Railway and set up the records for it. If that one verifies instantly, your original domain is just stuck in a bad cache. Delete both, wait 15 minutes, and add your original one back. - The Redeploy Kick: Sometimes the network routing only updates on a fresh build. Change a dummy environment variable in your Railway dashboard to force a new deployment. This often kicks the edge router into re-evaluating the domains.
2. The Silent Killer: CAA Records This one catches a lot of people out. Railway uses Let's Encrypt for SSL. Even if your CNAME and TXT are perfect, if your root domain (<my-domain>.com) has a restrictive CAA record, the SSL generation will silently fail in the background, leaving you stuck on "Waiting for DNS".
- Run
dig CAA <my-domain>.com +short. - If it returns anything, you need to make sure there's a record explicitly allowing
letsencrypt.org. If it's missing, add it at your registrar.
3. Strict DNS Resolution (DNSSEC) You verified it locally, but Railway's backend uses strict resolvers like Cloudflare (1.1.1.1). If your registrar has a slightly misconfigured DNSSEC, local networks might ignore it, but strict resolvers will drop the request entirely.
- Test it exactly how Railway sees it:
dig @1.1.1.1 TXT _railway-verify.<subdomain>.<my-domain>.com +short - If that fails but your normal
digworks, temporarily disable DNSSEC at your registrar, let Railway verify, and then turn it back on.
4. Conflicting TXT Records Just double-check your registrar to ensure there aren't two different TXT records sitting on that exact _railway-verify host. If there's an old one lingering there, Railway's automated scraper might be grabbing the wrong one and failing the check.
If you try the dummy deployment/domain tricks and ensure your CAA is clear, and it's still stuck, it's a hung queue on Railway's end. Drop a message to their support with your Project ID and mention "TXT verification for Let's Encrypt is stuck in a loop." They can usually flush the queue manually in a few minutes.
Hope this helps you unblock it!
3 days ago
Make sure you're clicking the button to copy the entire string for the TXT record instead of manually dragging/selecting.