Doing a lookup for my domain on http://www.intodns.com/ I noticed theese two messages:
In Parent section:
DNS Parent sent Glue The parent nameserver g.gtld-servers.net is not sending out GLUE for every nameservers listed, meaning he is sending out your nameservers host names without sending the A records of those nameservers. It's ok but you have to know that this will require an extra A lookup that can delay a little the connections to your site. This happens a lot if you have nameservers on different TLD (domain.com for example with nameserver ns.domain.org.)
and in NS section:
Glue for NS records INFO: GLUE was not sent when I asked your nameservers for your NS records.This is ok but you should know that in this case an extra A record lookup is required in order to get the IPs of your NS records. The nameservers without glue are: 109.230.225.96 84.201.40.52 You can fix this for example by adding A records to your nameservers for the zones listed above.
I do perfectly understand that the primary objective of glue records is to resolve circular dependencies.
The classic use case:
my domain is example.com and I want to have the nameserver ns1.example.com. This will never work because i cannot know the ip of ns1.example.com if I don't fetch example.com and in order to do that I need to fetch it from ns1.example.com. To resolve this deadlock I add a glue record to ns1.example.com containing the ip adress of the nameserver, so this can work out.
So this problem does not occour if the nameservers are in a different TLD than the domain i want to look up. But however to fetch the zone information from the nameservers I need to know their ip adress right? And in order to know that i need to fetch the zone the nameservers are in from their respective nameservers, right? (or rather my ISP needs to do that in the background) So an extra lookup that takes time?
If I now have glue records, I know the IP adress right away without the need to look it up - so this should speed up the resolution of my domain, shouldnt it?
However my DNS zone provider (tecserver.at) replied that
this would make no sense because "we are not running ns1.ourdomain.com an ns1.ourdomain.com as authorative NS for ourdomain.com.
This would be the only sense for glue records.
Tecserver has a glue record because the NS for tecserver.at are ns1.tecserver.at and ns2.tecserver.at. Therefore a glue record is needed for resolution.
Glue should only exist when the name servers for your domain are within the same domain name.
Technically this is not a circularity problem - those occur when two domains have
NS
records that mutually point into the other domain name. These are now considered to be a configuration error.Any
A
record included along with theNS
records should be ignored unless it meets the same domain criteria above, since remembering "out of bailiwick glue" can lead to security issues such as the Kaminsky attack.See also s5.4.1 of RFC 2181
[in other words - your ISP is essentially correct here, and the intodns.com advice is incorrect].
Yes, glue records do speed up domain resolution, and yes, your provider is wrong from a technical point of view with their answer (assuming you translated them right).
However, they are right about the approach. There is a lot of craze about glue records. Yes, they do save you one look up (sometimes), amounting to an outstanding 1-200 bytes and (rarely) some latency. However, the complication incurred by abusing glue records for performance improvement dwarfs the gainings.
Make sure you refer your provider's nameservers with the names they recommend (ns1.they.com or a.ns or whatever), then just stop worrying.
Other answers forget about one thing, far more important than speed: correctness.
If
example.com
hasns1.example.com
as nameserver, on a query forNS
the registry will sendns1.example.com
in the answer section, and the glue records (A
andAAAA
) in the DNS packet additional section.The resolver getting those CAN use the glue record because it sees that it is for a name the registry is authoritative on, so the caller can believe this result.
On the other end, if the nameserver was
ns1.provider.example.
(a complete different TLD in another registry), even if the.com
registry would have sent anA
record for that name in the additional section, any security aware resolver will refuse to take it into account because it is a piece of information that the sender (registry) is not authoritative for.Otherwise, imagine, at each step, if any server can send you
A
records for any related name to your query, in any other zone and having the caller accept them... That makes hijacking far too easy.(and DNSSEC does not help here because only content in the ANSWER section is signed, glue records in ADDITIONAL section are not)