1

I don't understand this. Everywhere I read that glue records are only required to prevent circular dependencies, for example I want to set ns1.example.com and ns2.example.com nameservers for the example.com domain name.

But according to my experience it is not true. I want to create my own nameservers such as ns1.example.com and ns2.example.com. Example.com is my domain name, and I already have the 2 IPs for my nameservers and the nameservers work. I just need to create hostnames for my nameserver IPs.

So I added 2 A records for my example.com domain name using the DNS zone file editor (ns1.example.com. 300 IN A [nameserverip1] and ns2.example.com. 300 IN A [nameserverip2]). Example.com uses an external DNS service, it will never use the ns1.example.com and ns2.example.com nameservers, so in theory glue records are not required.

However this is what I experienced: there is example.net and I want to use the ns1.example.com and ns2.example.com nameservers for example.net, and guess what, it doesn't work. Because when I try to enter these nameservers, I get the error: Entity reference not found [host ns1.example.com not found.]

But after I open the control panel of my example.com domain name registrar and register the ns1.example.com and ns2.example.com nameservers (I create glue records), then it will work.

But I want to avoid setting the glue records, because I cannot control the TTL of the glue records, so if the IPs will change, I may experience downtime.

Why isn't it enough to only add the A records for ns1.example.com and ns2.example.com? Why must I register them at my domain name registrar?

Update: according to my experience, it is only an issue with .com, .net and .org domain names. Is it true that these TLDs require glue records even if there is no circular dependency? Because for example when I use the ns1.example.hu and ns2.example.hu nameservers, they work only with A records and no glue records. Seems like the .hu root servers behave differently than the .com root servers?

MexDeluxe
  • 13
  • 4
  • 1
    There may limitations/additional requirements set by either your registrar or in the control panel you're using as I get the impression your [understanding of GLUE records](http://serverfault.com/q/309622/37681) seems to be correct. – HBruijn Feb 26 '17 at 22:24
  • yes so if very popular domain name registrars only allow nameservers with glue records for .com domains, then in practice glue records are always required, even when there is no circular dependency? Then the common advice found on the net is wrong ("glue records are only required to prevent circular dependency") – MexDeluxe Feb 26 '17 at 23:11

2 Answers2

2

com and net share a set of authoritative nameservers:

$ dig @f.root-servers.net. +noall +authority +norecurse com
net.                    172800  IN      NS      b.gtld-servers.net.
net.                    172800  IN      NS      h.gtld-servers.net.
net.                    172800  IN      NS      c.gtld-servers.net.
net.                    172800  IN      NS      j.gtld-servers.net.
net.                    172800  IN      NS      f.gtld-servers.net.
net.                    172800  IN      NS      l.gtld-servers.net.
net.                    172800  IN      NS      m.gtld-servers.net.
net.                    172800  IN      NS      k.gtld-servers.net.
net.                    172800  IN      NS      d.gtld-servers.net.
net.                    172800  IN      NS      i.gtld-servers.net.
net.                    172800  IN      NS      e.gtld-servers.net.
net.                    172800  IN      NS      a.gtld-servers.net.
net.                    172800  IN      NS      g.gtld-servers.net.

$ dig @f.root-servers.net. +noall +authority +norecurse net
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.

These are two of the oldest and most common TLDs on the internet, which creates an interesting problem. Domains falling within these TLDs need glue for all permutations of nameservers ending in com or net. This also tends to create an impression among many who deal with these domains that glue is not optional.

Even in cases where you're not using a problematic permutation, you might run into more restrictive glue checks when attempting to set nameservers for a domain falling within this scope. Given the problems that these registrars are having to code for with these two domains (and any other suffixes which share a set of nameservers), they're less likely to be more nuanced about their requirements.

As a general rule, the newer the TLD is, the less likely the registrars for that TLD are going to enforce these restrictons upon you. It's fairly common to see glueless namesevers in the wild when dealing with the newer suffixes.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Ok so in practice glue records are required, if the nameservers are .com or .net? But I wanted to avoid glue records, because I cannot control the TTL of the glue records, so if the IP address changes, I may experience downtime. Actually I need these nameservers for a reseller hosting, so I have no control over the IPs, they may change by the provider. But I could use another domain for my nameserver, for example example.hu, because my clients will be from Hungary and as I tested, .hu nameserver domains don't need glue records. So I am not forced to use a .com domain for nameserver. – MexDeluxe Feb 27 '17 at 12:46
  • Domains with a suffix of .com or .net are more likely to have enforced glue, regardless of what domain those nameservers live in. Domains ending in .com or .net are required to have glue for nameservers ending in .com or .net, period. As HBrujin was alluding to, you're forced to deal with whims of the registrar handling the domain as the rules are effectively whatever the web interface chooses to enforce. This isn't a DNS problem so much as a software implementation problem, and as such it's impossible to provide a set of comprehensive guidelines. – Andrew B Feb 27 '17 at 14:42
  • Ok and is it possible that other TLDs such as .hu don't require a glue record, when I use a .hu domain as a nameserver? Because then I could use another TLD to avoid the glue record. I don't like glue records because they are not documented enough and I cannot control the TTL. In case of DDOS attack or normal IP address change glue records are problem with hardcoded TTL. – MexDeluxe Feb 27 '17 at 15:25
  • If you use a .hu nameserver for a .hu domain, it's required. Glue is always required when the nameserver falls within the same namespace as the parent. – Andrew B Feb 27 '17 at 15:28
  • Lets say I have example.hu which will be the nameserver domain: ns1.example.hu and ns2.example.hu. But the example.hu will not use the ns1.example.hu and ns2.example.hu nameservers, but another domain name will be the nameserver of example.hu. Then other domains (can be .com, .hu, .net etc.) will use the ns1.example.hu and ns2.example.hu. I noticed that in case glue records are not required, and every control panels would accept the ns1.example.hu and ns2.example.hu nameservers. But if the nameserver domain is .com, then a lot of domain registrars need glue records, is it possible? – MexDeluxe Feb 27 '17 at 15:43
  • @MexDeluze You have two things: is the nameserver internal or not and is it in-bailiwick of the domain it is nameserver for or not. internal means being in same zone as regitstry, so `ns1.example.hu` is internal to `.hu`. Internal nameservers may have glues, but external ones can not be glues. Now if `ns1.example.hu` is used as nameserver for domain `example.hu` it is in bailiwick and hence it will REQUIRE glue. Otherwise if it is authoritative for `anotherexample.hu` it does not require glue. Registries policies vary a little on when IPs are allowed or mandatory on input. – Patrick Mevzek Jun 05 '18 at 06:43
0

This is not just a requirement for .com/.net either, .info and a lot of other TLDs will do it too (support from domain selling websites told me all of them do it), so if you want to set NS of example.info to ns1.anything.info, ns1.anything.info is required to have a GLUE record in .info, otherwise the NS set will FAIL (no matter which website you purchased your example.info domain from, they will all report a generic error). More alarmingly, if any .info website has NS set to ns1.anything.info, the owner of anything.info also cannot REMOVE the GLUE record ns1.anything.info, it will fail with a generic error as well (i've tried on 3 different domain selling websites). However, since .info and .com/.net are not managed by the same registrar, you can set NS on example.info to be ns1.anything.net or ns1.anything.com and vice versa just fine, without any GLUE records required.

rajkosto
  • 1
  • 1