37

Hello I have just set up a DNS server for my domain example.org with 2 name servers ns1.example.org and ns2.example.org. I have attempted to set up a glue record for ns1 and ns2 at my registrar.

It seems to work for now when I do a dig example.org but when I do a whois example.org it lists ns1.example.org and ns2.example.org but not their IP address which should be set up as a glue record.

So I am wondering how do I check for the existence of a glue record? Do I do it with whois? I have seen .com and .net whois records that have both the domain name as well as the IP address for the name servers, is .org different? What's the proper way to test this?

Thanks.

5 Answers5

56

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

Binky
  • 330
  • 2
  • 11
Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • For my domain, the additional section contains the glue record, but also several other NS records which are not part of the glue I set in the registry. How do I tell those apart? – Calimo Feb 15 '17 at 14:12
10

dig +trace is generally the most straightforward way to inspect the chain of delegations. However, glue records are in the additional section and by default trace output does not include the additional section. You will need to specify explicitly that you want this included in the output.

dig +trace +additional example.com


If the idea is to check the sanity of the delegation chain you will probably want to see the authoritative NS records as well, in this case:

dig +trace +additional example.com NS
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
7

To check if a GLUE record is setup:

dig +trace @a.root-servers.net ns0.nameserverhere.com

If the GLUE is setup you should see a record that ends with:

“Received XXX bytes from x.GTLD-SERVERS.NET.”

There are also sites which will do it for you, such as http://www.intodns.com/

hbogert
  • 411
  • 1
  • 4
  • 18
Coops
  • 5,967
  • 1
  • 31
  • 52
  • Thanks, intodns worked great, getting all green ticks on the glue and NS stuff. I don't get the dig command though. I did get a Received message. In particular, I got this: "Received 433 bytes from 192.33.4.12#53(c.root-servers.net) in 183 ms." But then it ends with: "connection timed out; no servers could be reached" I also get similar messages when uses a random number for the ns part, e.g. ns384289.example.org. –  May 16 '10 at 13:44
  • 10
    that dig diagnostic test is completely wrong... – Alnitak May 17 '10 at 10:25
  • I know this is old but very helpful. I piped the results into sed/awk to compare the root vs. nameserver to identify mismatched NS records. – jeffatrackaid Jun 12 '13 at 13:55
5

Here is a little shell script which implements Alnitak's answer:

#!/bin/sh
S=${IFS}
IFS=.
for P in $1; do
  TLD=${P}
done
IFS=${S}

echo "TLD: ${TLD}"
DNSLIST=$(dig +short ${TLD}. NS)
for DNS in ${DNSLIST}; do
  echo "Checking ${DNS}"
  dig +norec +nocomments +noquestion +nostats +nocmd @${DNS} $1 NS
done

Pass the name of the domain as parameter:

./checkgluerecords.sh example.org
Adrian W
  • 191
  • 2
  • 6
1

You can also use whois, where the registry supports it, for directly checking the existent of glue for a given name server. For example, to check one of the name servers of serverfault.com:

whois ns-860.awsdns-43.net.

For a more concise response:

whois ns-860.awsdns-43.net. | grep "No match\|IP" | xargs

Note: This will certainly work for name servers in the .net and .com name space, but probably not for most other registries.

user3166580
  • 111
  • 2
  • 1
    whois is really not the right tool to query for existence of glue. `dig` is more appropriate. – sendmoreinfo Feb 24 '17 at 18:19
  • 1
    I disagree: you can **directly** check the existence of glue with whois (i.e. without needing a domain that has been delegated to that name server), but now that I have checked that is not the case with .org TLD. My answer is correct for .net/.com, but that is not what the original question was, so I suppose it is not a good answer to that question. – user3166580 Feb 27 '17 at 09:23
  • I also think the key point to original post is that, if the glue didn't exist in the org parent zone, then you would not have been able to delegate the domain to the name servers. i.e. because you cannot have glueless in-bailiwick name servers. – user3166580 Feb 27 '17 at 09:30
  • 1
    Your answer is correct for neither TLDs. `whois` has nothing to do with operational DNS and is not the tool to use to see glues. You can use whois to search for nameservers existing at registries, but the fact that the nameserver is stored at an object here does not mean it is used by the domain in which it is bailiwick which is the only case it needs to be published as a glue. – Patrick Mevzek Jul 22 '18 at 02:46