Saturday, April 23, 2016

Are "Glue" records in DNS used only by nameservers of the same domain?



I am bit confused with where "Glue record" is used in DNS.




This documents say




If you are using someone else's name servers (eg. your ISP's), you
won't need to worry about glue records. You only need to worry about
glue records when you are configuring your own name servers where a
circular reference exists.




And so Glue record will be present only for nameservers which are within the domain for which they are authoritative for. i.e they are required if example.com has nameserver as ns1.example.com and it will not be required if it is on another domain.




Based on this document I use dig command to see if glue records are present for domains which have nameserver hosted in another domain. And surprisingly they too have glue records !. I am trying to see if novanext.com has glue record as their nameservers are in different domain.



Updated



$ dig ns com.
;; ANSWER SECTION:
com.            85916   IN  NS  j.gtld-servers.net.
com.            85916   IN  NS  f.gtld-servers.net.
com.            85916   IN  NS  i.gtld-servers.net.

com.            85916   IN  NS  g.gtld-servers.net.
....


And next getting the "glue" record of novanext.com domain.



$ dig ns novanext.com @g.gtld-servers.net.

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ns novanext.com @g.gtld-servers.net.
;; global options: +cmd

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55040
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;novanext.com.          IN  NS

;; AUTHORITY SECTION:
novanext.com.       172800  IN  NS  ns2.net4india.com.

novanext.com.       172800  IN  NS  ns1.net4india.com.

;; ADDITIONAL SECTION:
ns2.net4india.com.  172800  IN  A   202.71.131.12
ns2.net4india.com.  172800  IN  A   202.71.131.13
ns2.net4india.com.  172800  IN  A   202.71.131.241
ns1.net4india.com.  172800  IN  A   202.71.128.222
ns1.net4india.com.  172800  IN  A   202.71.128.37
ns1.net4india.com.  172800  IN  A   202.71.129.33


;; Query time: 279 msec


How is this possible ? I have googled a lot but still not able to figure it out. Any help will be appreciated.


Answer




And so Glue record will be present only for nameservers which are within the domain for which they are authoritative for. i.e they are required if example.com has nameserver as ns1.example.com and it will not be required if it is on another domain.




Sadly, this is an incorrect conclusion to draw. There's nothing to stop you from serving glue records that aren't strictly necessary. Let's say that I operate the nameservers for example.com, and I want to delegate sub.example.com to ns1.contoso.com.




Defining the delegation is simple enough:



sub.example.com. IN NS ns1.contoso.com.



That should be enough by itself, but I could also define a glue record for it:



ns1.contoso.com. IN A 203.0.113.1



This would cause my nameserver to include 203.0.113.1 in the referrals for ns1.contoso.com as glue. My nameservers aren't responsible for contoso.com, and no sane nameserver on the internet is going to store that glue record in cache.




What they will do is assume that I want 203.0.113.1 to be queried if ns1.contoso.com is not currently in cache. This is fine...until the admins for contoso.com change the IP address of ns1.contoso.com. My glue would be wrong, and in many cases this referral would break.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...