Nelson's log

DNS glue records

Had a bit of DNS I didn’t understand today. The whois records for say the name server is So how do you look up the address for That’s a circular dependency!

Turns out the answer is glue records; there’s a good explanation in the first two answers on Stack Exchange, or enjoy this comic strip. Long story short, the same TLD server that tells you that the name server for is also provides an “additional” non-authoritative A record for That short-circuits the circular dependency. You can see this reply yourself with dig +additional. Here’s a (heavily shortened) transcript where I only show the lines along the actual resolution chain:

$ dig +trace +additional SOA

.			13529	IN	NS
;; Received 397 bytes from in 31 ms

com.			172800	IN	NS	172800	IN	A
;; Received 734 bytes from in 279 ms		172800	IN	NS		172800	IN	A
;; Received 660 bytes from in 361 ms		60	IN	SOA 117627770 900 900 1800 60
;; Received 210 bytes from in 36 ms

The key thing there is the third segment. My computer asked who the name server for was, and it gave me an NS record naming But then it also volunteered a non-authoritative A record for that name, That’s the “additional” response that serves the glue record.

The other question is how glue records are administered; who told the address for How do we keep that IP address updated? I’m not sure. My registrar Hover just lets you fill in a glue record but doesn’t explain how that gets sent to the TLD servers. Gandi’s docs have a good explanation too. My guess is it’s part of the protocol that registrars use to communicate with the companies that maintain the TLDs. You don’t just give them NS records for each domain, but you can give them an A record too. I wonder if they auto-update? I’m guessing not.

Glue records are old: they are explained in RFC 1033, complete with an example at This DNS book notes that glue records can also be an optimization; it’s basically providing the answer to the next question the resolver is about to ask. At the cost of being non-authoritative.

(Reading this whole chain I realize I’m still a bit confused about how DNS works. My computer asks my name server who the name server is for “.”, the root, and is told Note it gets no additional A record. But then my computer already knows that is, how did it know that? Maybe a cache? Then it asks that root server for the name server for .com and is told, along with an additional A record. From there it can ask about Google.)

Hat Tip to Andy Fowler for giving me the magic keyword “glue records”.