Understanding DNS Glue Records: Essential for Domain Delegation and Nameserver Resolution


4 views

Glue records solve a fundamental chicken-and-egg problem in DNS delegation. When you set up nameservers for a domain (e.g., ns1.example.com), those nameservers themselves need to be resolvable before the domain can resolve properly.

Here's what happens at the registry level when you set glue records:

example.com.    IN  NS  ns1.example.com.
example.com.    IN  NS  ns2.example.com.
ns1.example.com. IN A  192.0.2.1
ns2.example.com. IN A  192.0.2.2

When creating a hosted zone in Route 53, AWS automatically generates glue records:

// Sample glue records for AWS nameservers
example.com.    IN  NS  ns-123.awsdns-45.com.
example.com.    IN  NS  ns-678.awsdns-89.org.
ns-123.awsdns-45.com. IN A 205.251.192.37
ns-678.awsdns-89.org. IN A 205.251.194.131

Use dig to verify glue records:

dig +trace example.com
dig @8.8.8.8 example.com NS
dig @8.8.8.8 ns1.example.com A

Common symptoms of glue record problems include:
• DNS resolution timeouts
• "Server not found" errors
• Inconsistent resolution across networks

Glue records must align with DNSSEC signatures. Mismatches will trigger validation failures:

; Example of DNSSEC-validated glue
example.com.    IN  DS  2371 13 2 329E...
ns1.example.com. IN A  192.0.2.1

A DNS glue record is a type of DNS record that provides the IP address of a nameserver when that nameserver is part of the domain it is authoritative for. Without glue records, a circular dependency would occur, making it impossible to resolve the domain.

When a domain's nameservers are subdomains of the domain itself (e.g., ns1.example.com for example.com), a resolver needs the IP addresses of these nameservers to continue the resolution process. Without glue records, the resolver would enter an infinite loop:

1. Query root servers for example.com → Refer to .com servers.
2. Query .com servers → Refer to ns1.example.com.
3. Query ns1.example.com → But ns1.example.com is part of example.com!

Glue records break this loop by providing the IP addresses upfront.

Glue records are stored at the TLD (Top-Level Domain) level. For example, if example.com uses ns1.example.com as a nameserver, the .com registry will store the glue record mapping ns1.example.com to its IP address.

Here’s how you might configure glue records in a DNS zone file:

; Zone file for example.com
$TTL 3600
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2024010101 ; Serial
                        3600       ; Refresh
                        1800       ; Retry
                        604800     ; Expire
                        86400      ; Minimum TTL
)

; Glue records (stored at the TLD level)
ns1     IN      A       192.0.2.1
ns2     IN      A       192.0.2.2

; Other records
@       IN      NS      ns1.example.com.
@       IN      NS      ns2.example.com.
  • Missing Glue Records: If glue records are not set, domain resolution fails.
  • Incorrect IPs: If the IPs in glue records don’t match the actual nameserver IPs, resolution breaks.
  • Propagation Delays: Changes to glue records can take longer to propagate than other DNS changes.

Use dig to check glue records:

dig +trace example.com

Look for the A records of the nameservers in the output.