10

I've dealt with BIND for years and this has always kind of bugged me.

$ dig google.com ns

;; QUESTION SECTION:
;google.com.            IN  NS

;; ANSWER SECTION:
google.com.     87046   IN  NS  ns3.google.com.
etc...

;; ADDITIONAL SECTION:
ns1.google.com.     87274   IN  A   216.239.32.10
etc.

I get that, at least notionally, the root servers handle ., and hand off .com., .gov., whatever to the right servers (though in practice this is all cached several levels down), but at some point, somebody has to know to ask the server at 216.239.32.10 for the A record of whatever.google.com. But how did resolvers figure that out in the first place, since you need to know the A of the NS to do that? (And for that matter, since we know it's an Internet NS and not, say, Chaos or something, why do you have to use a name rather than an address for the NS record?)

My nameservers have always had names that could be found by somebody upstream (eg, I hosted DNS for bar.com on foo.com, and my upstream handled foo.com), but I have never quite grasped how people like Google get over the chicken and egg problem of hosting the DNS for google.com under the name google.com.

figtrap
  • 853
  • 1
  • 6
  • 7
Bandrami
  • 893
  • 4
  • 8
  • See also http://serverfault.com/q/309622 – Shane Madden Jan 11 '14 at 09:09
  • 2
    "What is a glue record?" is what people will find if they know the term "glue record" but don't know what it is, which is the opposite of the problem I had. – Bandrami Jan 13 '14 at 03:14
  • Exactly, you having the term "Chicken and egg" in the title is what actually led me here from a google search! I would have never searched glue record on my own. – aliqandil Nov 06 '20 at 11:34

1 Answers1

12

I think the concept you're struggling with is glue records.


From that linked article above:

For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the name server for the top level domain org includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain's authoritative servers, which allows it to complete the DNS query.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
user9517
  • 114,104
  • 20
  • 206
  • 289
  • So .com hosts a "bootstrap" record for google.com? – Bandrami Jan 11 '14 at 07:04
  • Yes, that's a glue record. – user9517 Jan 11 '14 at 07:05
  • In practice, it seems to be dependent on the registrar. The company I work for uses our own name server, but when our registrar [failed](http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/), all our sites were down. So then, the glue record is set by the registrar when you set up your custom name server. – TecBrat Jan 11 '14 at 12:52
  • It's also worth mentioning that you still need the NS record and corresponding A/AAAA records for it in your zone; glue records can be used for glue but aren't authoritative and if you don't have an authoritative copy somewhere they might be unresolvable. – Falcon Momot Jan 12 '14 at 22:36