Had a bit of DNS I didn’t understand today. The whois records for google.com say the name server is ns1.google.com. So how do you look up the address for ns1.google.com? That’s a circular dependency!
Turns out the answer is glue records; there’s a good explanation in the first two answers on Stack Exchange, or enjoy this comic strip. Long story short, the same TLD server that tells you that the name server for google.com is ns1.google.com also provides an “additional” non-authoritative A record for ns1.google.com. That short-circuits the circular dependency. You can see this reply yourself with dig +additional. Here’s a (heavily shortened) transcript where I only show the lines along the actual resolution chain:
$ dig +trace +additional google.com SOA . 13529 IN NS g.root-servers.net. ;; Received 397 bytes from 192.168.0.1#53(192.168.0.1) in 31 ms com. 172800 IN NS k.gtld-servers.net. h.gtld-servers.net. 172800 IN A 22.214.171.124 ;; Received 734 bytes from 126.96.36.199#53(g.root-servers.net) in 279 ms google.com. 172800 IN NS ns4.google.com. ns4.google.com. 172800 IN A 188.8.131.52 ;; Received 660 bytes from 184.108.40.206#53(h.gtld-servers.net) in 361 ms google.com. 60 IN SOA ns3.google.com. dns-admin.google.com. 117627770 900 900 1800 60 ;; Received 210 bytes from 220.127.116.11#53(ns4.google.com) in 36 ms
The key thing there is the third segment. My computer asked h.gtld-servers.net who the name server for google.com was, and it gave me an NS record naming ns4.google.com. But then it also volunteered a non-authoritative A record for that name, 18.104.22.168. That’s the “additional” response that serves the glue record.
The other question is how glue records are administered; who told gtld-servers.net the address for ns4.google.com? How do we keep that IP address updated? I’m not sure. My registrar Hover just lets you fill in a glue record but doesn’t explain how that gets sent to the TLD servers. Gandi’s docs have a good explanation too. My guess is it’s part of the protocol that registrars use to communicate with the companies that maintain the TLDs. You don’t just give them NS records for each domain, but you can give them an A record too. I wonder if they auto-update? I’m guessing not.
Glue records are old: they are explained in RFC 1033, complete with an example at SRI.com. This DNS book notes that glue records can also be an optimization; it’s basically providing the answer to the next question the resolver is about to ask. At the cost of being non-authoritative.
(Reading this whole chain I realize I’m still a bit confused about how DNS works. My computer asks my name server 192.168.0.1 who the name server is for “.”, the root, and is told g.root-servers.net. Note it gets no additional A record. But then my computer already knows that g.root-servers.net is 22.214.171.124, how did it know that? Maybe a cache? Then it asks that root server for the name server for .com and is told k.gtld-servers.net, along with an additional A record. From there it can ask about Google.)
Hat Tip to Andy Fowler for giving me the magic keyword “glue records”.