How to Verify DNS Glue Records: A Technical Guide for Name Server Configuration


2 views

When you register name servers that are subdomains of your own domain (like ns1.example.org for example.org), you need to create glue records at your domain registrar. These records provide the IP addresses of your name servers to the parent DNS servers (.org TLD servers in this case). Without proper glue records, DNS resolution would enter a chicken-and-egg situation.

WHOIS isn't the most reliable way to check glue records. Instead, use these technical methods:

1. Dig Command Directly Against TLD Servers

dig @a0.org.afilias-nst.info example.org NS

This queries the .org TLD servers directly. In the response, look for the ADDITIONAL SECTION that should contain both your NS records and their A records.

2. Checking Parent Server Cache

dig +trace example.org

The trace will show you how resolution progresses from root servers down to your authoritative servers. At the TLD server step, you should see your NS records with their IPs.

3. Using Specialized DNS Tools

# Using dnsviz
dnsviz probe -d 0 example.org
dnsviz grok example.org.json

Problem: WHOIS shows NS records but no IPs
Solution: This is normal - WHOIS isn't authoritative for glue records. Some registries display them, others don't.

Problem: Glue records exist but aren't propagating
Solution: Check TTL values and allow up to 48 hours for full propagation.

For a domain example.org with name servers:

ns1.example.org = 192.0.2.1
ns2.example.org = 192.0.2.2

At your registrar, you would need to:

  1. Register the name servers (ns1.example.org, ns2.example.org)
  2. Provide their IP addresses
  3. Set these as your domain's authoritative name servers

Here's a Python script to check glue records:

import dns.resolver

def check_glue(domain):
    try:
        # Query TLD servers directly
        tld_servers = ['a0.org.afilias-nst.info', 'a2.org.afilias-nst.info']
        for tld in tld_servers:
            resolver = dns.resolver.Resolver()
            resolver.nameservers = [str(dns.resolver.query(tld, 'A')[0])]
            answer = resolver.query(domain, 'NS')
            print(f"Response from {tld}:")
            print("NS Records:", [str(r) for r in answer])
            print("Additional Section:")
            for rr in answer.response.additional:
                print(rr)
    except Exception as e:
        print(f"Error: {e}")

check_glue('example.org')

After setting glue records:

  1. Wait at least 24 hours for propagation
  2. Verify using multiple methods (dig, online tools, scripts)
  3. Check from different geographic locations
  4. Test both IPv4 and IPv6 if applicable

Remember that glue records are only needed when your name servers are subdomains of the domain they're serving. For independent name servers (like ns1.example.net serving example.org), glue records aren't required.

When you set up authoritative name servers that are subdomains of the domain they serve (like ns1.example.org for example.org), you need glue records. These are A/AAAA records provided at the registry level to break circular dependencies during DNS resolution.

Here are three reliable ways to verify your glue records:

# Method 1: Using dig to check at root servers
dig @a.root-servers.net example.org NS +trace

# Method 2: Direct registry query
dig @whois.internic.net example.org

# Method 3: Checking TLD servers directly
dig @a.gtld-servers.net example.org NS

Common problems programmers encounter:

  • Glue records missing at registry level
  • IP address mismatch between glue and actual NS records
  • Propagation delays after updates (up to 48 hours)

Here's how to verify glue records programmatically using Python:

import dns.resolver

def check_glue_records(domain):
    try:
        # Query root servers
        answer = dns.resolver.resolve(domain, 'NS', 
                   raise_on_no_answer=False,
                   search=False)
        
        print(f"Name servers for {domain}:")
        for ns in answer:
            print(f" - {ns.target}")
            
            # Attempt to resolve the NS's IP
            try:
                ip = dns.resolver.resolve(str(ns.target), 'A')
                print(f"   IP: {ip[0].address}")
            except dns.resolver.NoAnswer:
                print("   No glue record found!")
                
    except Exception as e:
        print(f"Error: {e}")

check_glue_records("example.org")

The .org registry handles glue records differently than .com/.net. Some key differences:

TLD Glue Record Visibility
.com Shows in whois
.net Shows in whois
.org Not shown in whois

When troubleshooting glue records:

  1. Verify NS records at your registrar's control panel
  2. Use authoritative name server queries (not cached results)
  3. Check both IPv4 and IPv6 glue records if applicable
  4. Test from multiple geographic locations