The old nameserver glue record hell
A recent commentator on HowNotToDoDNSI has prompted me to write about the hell that glue records could be in in the Internet's old days. To really cover the horror, I'll start with the ordinary glue record horror.
Glue records are additional A records that get returned by higher
level nameservers when people ask for NS records to avoid recursion
problems that would otherwise ensue when, eg, foo.com
has
www.foo.com
as its nameserver. This can be exploited to optimize DNS
lookups a bit, as the commentator mentioned (it's a neat hack). But
this can also lead to 'glue record hell', where you renumber a machine
but don't tell your parent nameservers about it, and people keep
getting the old IP address from them. (The commentator bumped into
this, and I hit it in HowNotToDoDNSVI.)
Most hard glue records these days are 'in-zone glue records', glue records for names inside the zone in question; these are the only ones where you really need the glue records. (Barring circular loops of nameservers, which are wrong anyways.)
However, back in the old days, Network Solutions was promiscuous: all nameservers were included as glue records, whether in-zone or out of zone. NetSol also had no controls on what you could list as nameservers for your domain, so anyone could list one of your machines as one of their nameservers and force it to be included as glue data in the root zones. Of course, because it was their domain, only they could change this information.
Cue interesting explosions any time you tried to renumber, rename, or even remove from service a hostname (or IP address) that was listed as someone's nameserver. Anyone. Anywhere. I don't believe NetSol's whois service had a command to show what domains were using a particular 'host record' as one of their nameservers, just to make it more challenging.
And once you had figured out what domain was holding a reference to one of your hosts, you had to go hunt down the contacts for the domain, wake them up, and persuade them to change the data. Assuming that the contact for the host record wasn't itself borked.
(Thanks go to Clay (I think) for prompting me to write this.)
Sidebar: additional glue records
Many nameservers will give you additional glue records if they happen
to have appropriate reputable information lying around. Eg, look at
what the .net root servers return for 'dig ns example.net
'; while
those nameservers are out of example.net, they are in .net, so the
.net root servers have good data for their IP addresses.
Also, glue records are returned for more than just NS queries. For this entry I'm ignoring all the other cases.
|
|