Glue Records and Dedicated DNS

In normal DNS resolution, when a resolver attempts to resolve a domain name, it first queries the root, which provides the top-level domain. Next, it queries the top-level domain servers, which provide the domain’s authoritative nameservers. Finally, it queries the authoritative nameservers for the domain to resolve the domain name. If the nameservers for a domain exist inside the domain itself, a glue record is needed to resolve the domain name.

What is a Glue Record?

Glue records are DNS records created at the the domain’s registrar. The record provides a complete answer when the TLD nameserver returns a reference for an authoritative nameserver for a domain. For example, the domain name “example.net” has nameservers “ns1.example.net” “ns2.example.net”.  To resolve the domain name, the DNS would query in order: root, TLD nameserver, and authoritative nameserver. However, by having the authoritative nameservers inside the domain itself, these nameservers cannot be found without outside assistance. This is called a ‘circular reference’.  Creating a glue record, an A record served by the TLD nameserver, avoids circular references and allows for both DNS name resolution and listing the nameservers inside the domain itself.

Glue records can only be created at the domain registrar as the registrar controls the DNS settings for a given domain’s delegation. Every nameserver on the internet has its own glue record created by the domain’s owner. For example, NS1’s nameservers at ‘dnsx.p0y.nsone.net’ all have glue records created at our registrar.

When do I need a Glue Record?

You need to create a glue record when you host your own authoritative servers. If a 3rd party, such as a managed DNS provider hosts your authoritative nameservers, then the provider takes care of setting up the glue record.

When you host your own authoritative servers, you need to set up the glue records with the domain registrar.

Dedicated DNS needs Glue Records

One instance of this scenario is Dedicated DNS. NS1 strongly recommends that a separate domain name is registered for the Dedicated DNS servers, ensuring that there are two separate namespaces in delegation.

NS1 recommends this as a best practice to easily identify between the Dedicated DNS instances and the DNS setup for the customer’s standard domain. For instance, the company “Example Company” with a domain “example.net” may register the domain “exampledns.net” to use with our Dedicated DNS services.

Once the Dedicated DNS service has been provisioned, the nameservers’ IP addresses will need to be added at the registrar as glue records. Here is an example of four nameservers for the domain “exampledns.net” being configured in Google Domains:

Once the glue records have been added at the registrar, delegate both the Dedicated DNS servers and Managed DNS servers to complete the setup. The glue records at the registrar will make sure that the Dedicated DNS setup will work properly.

What Do Glue Records Look Like in the dig tool?

Glue records appear in the ADDITIONAL SECTION of the dig tool response. To see your domain’s glue records using the dig tool, query a TLD server for your domain’s nameserver. The glue records in this example are in quotation marks.

NOTE: In a dig tool response there will not be quotation marks around the glue records.

 
;<<>> DiG 9.10.3-P4-Ubuntu <<>> NS example.net @g.gtld-servers.net
;; global options: +cmd
;;Got answer:
;; ->>>HEADER<<<- opcode: QUERY, status: NOERROR, id: 15964
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4685
;; QUESTION SECTION:
;example.net.                IN    NS
 
;; AUTHORITY SECTION:
example.net.        172800     IN    NS    ns1.p01.example.net.
example.net.        172800     IN    NS    ns1.p02.example.net.
example.net.        172800     IN    NS    ns1.p03.example.net.
example.net.        172800     IN    NS    ns1.p04.example.net.
 
;; ADDITIONAL SECTION:
"ns1.p01.example.net.        172800     IN    A    186.25.44.1"
"ns1.p02.example.net.        172800     IN    A    186.25.45.1"
"ns1.p03.example.net.        172800     IN    A    186.25.44.65"
"ns1.p04.example.net.        172800     IN    A    186.25.45.65"

 

How Do I Know My Glue Records Are Correct?

In order to verify that your glue records are correctly listed at the TLD servers, you need to know the domain name and the IP addresses they are assigned. Query the TLD servers for your domain nameservers using the dig tool. Compare the ADDITIONAL SECTION contents of the query response to the domain name and IP addresses assigned. If they match, the glue records are setup properly.