The old nameserver glue record hell

January 6, 2006

A recent commentator on HowNotToDoDNSI has prompted me to write about the hell that glue records could be in in the Internet's old days. To really cover the horror, I'll start with the ordinary glue record horror.

Glue records are additional A records that get returned by higher level nameservers when people ask for NS records to avoid recursion problems that would otherwise ensue when, eg, foo.com has www.foo.com as its nameserver. This can be exploited to optimize DNS lookups a bit, as the commentator mentioned (it's a neat hack). But this can also lead to 'glue record hell', where you renumber a machine but don't tell your parent nameservers about it, and people keep getting the old IP address from them. (The commentator bumped into this, and I hit it in HowNotToDoDNSVI.)

Most hard glue records these days are 'in-zone glue records', glue records for names inside the zone in question; these are the only ones where you really need the glue records. (Barring circular loops of nameservers, which are wrong anyways.)

However, back in the old days, Network Solutions was promiscuous: all nameservers were included as glue records, whether in-zone or out of zone. NetSol also had no controls on what you could list as nameservers for your domain, so anyone could list one of your machines as one of their nameservers and force it to be included as glue data in the root zones. Of course, because it was their domain, only they could change this information.

Cue interesting explosions any time you tried to renumber, rename, or even remove from service a hostname (or IP address) that was listed as someone's nameserver. Anyone. Anywhere. I don't believe NetSol's whois service had a command to show what domains were using a particular 'host record' as one of their nameservers, just to make it more challenging.

And once you had figured out what domain was holding a reference to one of your hosts, you had to go hunt down the contacts for the domain, wake them up, and persuade them to change the data. Assuming that the contact for the host record wasn't itself borked.

(Thanks go to Clay (I think) for prompting me to write this.)

Sidebar: additional glue records

Many nameservers will give you additional glue records if they happen to have appropriate reputable information lying around. Eg, look at what the .net root servers return for 'dig ns example.net'; while those nameservers are out of example.net, they are in .net, so the .net root servers have good data for their IP addresses.

Also, glue records are returned for more than just NS queries. For this entry I'm ignoring all the other cases.

Written on 06 January 2006.
« Is concurrency 'hard'?
Some notes on Solaris 9's Sunscreen IP filtering package »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jan 6 02:45:26 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.