I'm puzzled about DNS glue records in the modern world

January 30, 2010

I recently wound up reading a message about upcoming behavior changes to the .com/.net/.edu nameservers (via Dawn Keenan). The short summary of that message is that as of March 1st, those nameservers will mostly stop returning information about out of zone glue records.

Up until I read the message, I had not realized that these nameservers were still carrying (and in fact returning) out of zone glue records and it was just that modern DNS systems were not paying attention to them; I had innocently thought that out of zone glue was entirely gone, due to the era of glue record hell being long over. In fact, it turns out that they were doing so in a way that let people create circular loops of nameservers, which are going to break on March 1st.

(A longer explanation of the situation is in the message; see there for the details, which make my head hurt.)

Some experimentation shows that the out of zone glue records do not have to be from in-zone glue records for their own domain. As an example, suppose you have A.com, with NS records n1.a.com and n2.a.com, and B.com, with NS records n1.a.com and n3.a.com. If you do an NS lookup for B.com at the .com nameservers, you'll get back IP addresses for both n1.a.com, which is in-zone glue for A.com and thus necessary to carry in the .com zone, and n3.a.com, which is not. This means that something in the whole nameserver and zone management process knows or is looking up n3.a.com's IP address, and is adding it to the .com DNS information.

All of this leaves me puzzled about what the rules are for out of zone glue records in the modern world, although it probably varies by DNS zone (and maybe even registrar).

(The client-side resolver rules are clearer; apparently pretty much you always ignore any out of zone A records that you get back.)

Written on 30 January 2010.
« A theory about Apple's new iPad
Thinking about syndication feeds and spoilers »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jan 30 02:40:15 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.