DNS glue records

Had a bit of DNS I didn’t understand today. The whois records for google.com say the name server is ns1.google.com. So how do you look up the address for ns1.google.com? That’s a circular dependency!

Turns out the answer is glue records; there’s a good explanation in the first two answers on Stack Exchange, or enjoy this comic strip. Long story short, the same TLD server that tells you that the name server for google.com is ns1.google.com also provides an “additional” non-authoritative A record for ns1.google.com. That short-circuits the circular dependency. You can see this reply yourself with dig +additional. Here’s a (heavily shortened) transcript where I only show the lines along the actual resolution chain:

$ dig +trace +additional google.com SOA

.			13529	IN	NS	g.root-servers.net.
;; Received 397 bytes from 192.168.0.1#53(192.168.0.1) in 31 ms

com.			172800	IN	NS	k.gtld-servers.net.
h.gtld-servers.net.	172800	IN	A	192.54.112.30
;; Received 734 bytes from 192.112.36.4#53(g.root-servers.net) in 279 ms

google.com.		172800	IN	NS	ns4.google.com.
ns4.google.com.		172800	IN	A	216.239.38.10
;; Received 660 bytes from 192.54.112.30#53(h.gtld-servers.net) in 361 ms

google.com.		60	IN	SOA	ns3.google.com. dns-admin.google.com. 117627770 900 900 1800 60
;; Received 210 bytes from 216.239.38.10#53(ns4.google.com) in 36 ms

The key thing there is the third segment. My computer asked h.gtld-servers.net who the name server for google.com was, and it gave me an NS record naming ns4.google.com. But then it also volunteered a non-authoritative A record for that name, 216.239.38.10. That’s the “additional” response that serves the glue record.

The other question is how glue records are administered; who told gtld-servers.net the address for ns4.google.com? How do we keep that IP address updated? I’m not sure. My registrar Hover just lets you fill in a glue record but doesn’t explain how that gets sent to the TLD servers. Gandi’s docs have a good explanation too. My guess is it’s part of the protocol that registrars use to communicate with the companies that maintain the TLDs. You don’t just give them NS records for each domain, but you can give them an A record too. I wonder if they auto-update? I’m guessing not.

Glue records are old: they are explained in RFC 1033, complete with an example at SRI.com. This DNS book notes that glue records can also be an optimization; it’s basically providing the answer to the next question the resolver is about to ask. At the cost of being non-authoritative.

(Reading this whole chain I realize I’m still a bit confused about how DNS works. My computer asks my name server 192.168.0.1 who the name server is for “.”, the root, and is told g.root-servers.net. Note it gets no additional A record. But then my computer already knows that g.root-servers.net is 192.112.36.4, how did it know that? Maybe a cache? Then it asks that root server for the name server for .com and is told k.gtld-servers.net, along with an additional A record. From there it can ask about Google.)

Hat Tip to Andy Fowler for giving me the magic keyword “glue records”.

3 thoughts on “DNS glue records

  1. Thanks Paul! So maybe DNS priming got me the address (on Ubuntu) but dig didn’t see the query because it happened before or in parallel? I should clarify I’m not running bind on the Ubuntu box nor any funky DNS setup. My nameserver at 192.168.0.1 is a router running Tomato.

Comments are closed.