Topics Map > DNS Basics
Topics Map > DDI Pilot

DNS: Glue records

From: http://en.wikipedia.org/wiki/Domain_name_system

and more specifically

From: http://en.wikipedia.org/wiki/Domain_name_system#Circular_dependencies_and_glue_records

Circular dependencies and glue records

Name servers in delegations appear listed by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. Since this can introduce a circular dependency if the nameserver referred to is under the domain that it is authoritative of, it is occasionally necessary for the nameserver providing the delegation to also provide the IP address of the next nameserver. This record is called a glue record.

For example, the wisc.edu has the following authoritative name servers

[m7h@trigger]$ dig wisc.edu NS +short
adns2.doit.wisc.edu. 
adns4.doit.wisc.edu.
adns3.doit.wisc.edu.
adns2.doit.wisc.edu.

A computer trying to resolve www.doit.wisc.edu will thus first have to resolve adns2.doit.wisc.edu, adns4.wisc.edu, and so on. But how can the computer resolve one of those names if in order to lookup the name, it needs to know the DNS server IP? In this case, the dependency is broken by the glue record in the nameservers for .edu. This provides the IP address of adns2.doit.wisc.edu, adns4.doit.wisc.edu, adns3.doit.wisc.edu, and adns2.doit.wisc.edu to the requester, enabling it to bootstrap the process by figuring out where the nameservers are located.

As of 3 March 2022, here are the glue records for adns1,2,3,4.doit.wisc.edu

doit.wisc.edu.            IN  NS       adns1.doit.wisc.edu.
doit.wisc.edu.            IN  NS       adns2.doit.wisc.edu.
doit.wisc.edu.            IN  NS       adns3.doit.wisc.edu.
doit.wisc.edu.            IN  NS       adns4.doit.wisc.edu.

adns1.doit.wisc.edu.      IN  A        144.92.9.21
adns2.doit.wisc.edu.      IN  A        144.92.20.99
adns3.doit.wisc.edu.      IN  A        144.92.104.21
adns4.doit.wisc.edu.      IN  A        128.6.1.132 

If the IP address of adns1,2,3 ever changes, it would need to be updated in the doit.wisc.edu zone as well as in the wisc.edu zone, where the glue record is kept. If you omit the final step, adns1,2,3 will be unresolvable for ALL recursive nameservers.

Glue records and determining authority

A glue record doesn't provide any authority, it just tells a recursive nameserver where to find an authoritative answer. Ultimately, the authoritative nameservers provide this information.

For example, lets say that only the following records for the doit.wisc.edu domain existed in wisc.edu

doit.wisc.edu.            IN  NS       adns1.doit.wisc.edu.
adns1.doit.wisc.edu.      IN  A        144.92.9.21

A dig might still reveal the following.

[timc@netcms1 ~]$ dig doit.wisc.edu NS +short | sort
adns1.doit.wisc.edu.
adns2.doit.wisc.edu.
adns3.doit.wisc.edu.
adns4.doit.wisc.edu. 

Where did adns2 and adns3 come from? The recursive client is given the adns1 glue record for the doit.wisc.edu zone, but adns1 reports that itself, as well as adns2 and adns3, are authoritative.

Glue records for adns2 and adns3 are critical. If they are not in place, and adns1 goes offline, the doit.wisc.edu zone can not be queried because a recursive DNS server will not know to ask adns2 or adns3