Join Log in
Score:-1
Kevin F avatar Server

Glue record limitations for authoritative nameservers

in flag
Kevin F

I am trying to set up some nameservers for use by many domains, but there appears to be some issues with my set-up and I am not clear on what needs to be fixed to get it to work.

For my nameservers, it is set up as follows:

  1. I have several nameserver domains, ns-com.example, ns-net.example, ns-org.example.
  2. I have several nameservers. The nameservers correspond to their own subdomain.
ns1 => 192.0.2.123
ns2 => 192.0.2.124
ns3 => 192.0.2.125
ns4 => 192.0.2.126
  1. Every domain has ns1 and ns2 for its nameservers. Therefore, I created glue records for each. Note that this means there are no glue records for ns3 and ns4. Example dig output from the gTLD server:

; <<>> DiG 9.16.1-Ubuntu <<>> +norec @c.gtld-servers.net. ns-net.example.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11669
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns-net.example.                 IN      A

;; AUTHORITY SECTION:
ns-net.example.          172800  IN      NS      ns1.ns-net.example.
ns-net.example.          172800  IN      NS      ns2.ns-net.example.

;; ADDITIONAL SECTION:
ns1.ns-net.example.     172800  IN      A       192.0.2.123
ns2.ns-net.example.     172800  IN      A       192.0.2.124

;; Query time: 23 msec
;; SERVER: 192.26.92.30#53(192.26.92.30)
;; WHEN: Mon Dec 13 14:34:20 EST 2021
;; MSG SIZE  rcvd: 109
  1. If one were to perform an NS query, every nameserver would respond with the corresponding ns1 and ns2 answers with the IP addresses listed in the additional section.

; <<>> DiG 9.16.1-Ubuntu <<>> +norec @ns1.ns-net.example. ns-net.example. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16843
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d757529672f25fcb (echoed)
;; QUESTION SECTION:
;ns-net.example.                IN      NS

;; ANSWER SECTION:
ns-net.example.         14400   IN      NS      ns1.ns-net.example.
ns-net.example.         14400   IN      NS      ns2.ns-net.example.

;; ADDITIONAL SECTION:
ns1.ns-net.example.     300     IN      A       192.0.2.123
ns2.ns-net.example.     300     IN      A       192.0.2.124

;; Query time: 11 msec
;; SERVER: 192.0.2.123#53(192.0.2.123)
;; WHEN: Mon Dec 13 14:36:56 EST 2021
;; MSG SIZE  rcvd: 191

Performing a dig query to any of the nameservers for any of the other nameservers will return the IP as expected:


; <<>> DiG 9.16.1-Ubuntu <<>> +norec @ns1.ns-net.example. ns3.ns-net.example.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63226
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5786fc62c3f155e8 (echoed)
;; QUESTION SECTION:
;ns3.ns-net.example.            IN      A

;; ANSWER SECTION:
ns3.ns-net.example.     300     IN      A       192.0.2.125

;; Query time: 15 msec
;; SERVER: 192.0.2.123#53(192.0.2.123)
;; WHEN: Mon Dec 13 14:39:46 EST 2021
;; MSG SIZE  rcvd: 87

Now for the problem:

I have a domain site-net.example for which I would like to use my nameservers. I can assign ns1.ns-net.example and ns2.ns-net.example fine. However, I am unable to assign ns3.ns-net.example and ns4.ns-net.example. I can assign ns3.ns-org.example and ns4.ns-org.example.

Why is this? My presumption is that the problem is caused by the non-existence of glue records for ns3 and ns4 (since .com and .net share gTLD servers), but as far as I am aware this isn't a prerequisite when the nameserver is a different domain.

If this is a requirement, I would like to know how one tests for this situation. ns3 and ns4 are not listed as nameservers for the nameserver domains, so if they existed those glue records would not be returned when running dig against the gTLD servers.

As well, if this is the case, does this apply to all TLDs? I can add an additional limitation where if the domain is a .com TLD to also avoid the ns3/4 of the .net TLD and vice versa, but I am looking for concrete information so that I know why I implemented it in this manner.

Edit: added some (obfuscated) dig outputs.

As well, there was a request to clarify what I mean by 'assign' and why I think it is an issue with glues. I use Google Domains for my test site's registrar. When I try to set the domain's custom nameservers to ns3.ns-net.example and ns4.ns-net.example, I get an error "The registry rejected the nameservers" with a link to the Google Domains Glue Records resource.

46
0 + 0
Patrick Mevzek avatar
cn flag
Patrick Mevzek
The last part "setting up nameservers, getting back an error about glues" is still not clear to me. But again at least your registrar should be able to help and explain things or at least give you the exact registry reply. Are you 100% sure (something I could have checked myself immediately if I had known the names involved) that `ns3` and `ns4` are registered at registry as host objects? The registrar does all of that for you normally, but again lacking details it is very hard to help.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
(You can check on **registry** whois server if an hostname has been registered as an host object or not, as Verisign uses host objects; you can only use registered host objects for domain names at the registry, and this is maybe the problem or not)
0
Reply
Score:2
Patrick Mevzek avatar Server
cn flag
Patrick Mevzek

First, your question would be FAR more useful and easy to reply if you give real names instead of obfuscating everything (and I edited your obfuscations).

Especially since:

  • your case is NOT about glues. The nameservers names you are using are not "under" the domains using them, so there are no glues (exactly where things would be simpler if you gave real names); glues are returned by registry authoritative nameserver ONLY when needed (that is when querying for NS records on the base domain under which the nameserver names are), and should not be returned for any other random domain using those nameservers (and any recursive nameserver would ignore them anyway, for security reason to avoid cache poisoning)
  • you say: "However, I am unable to assign" which is unclear. What did you do exactly? Where? What errors did you get? etc.

Like for:

If one were to perform an NS query, every nameserver would respond with the corresponding ns1 and ns2 answers with the IP addresses listed in the additional section.

Instead of this, give real dig queries showing exactly what you did, and the results. You may also want to look at DNSViz online, a very good troubleshooting tool.

I have a domain site-net.example for which I would like to use my nameservers. I can assign ns1.ns-net.example and ns2.ns-net.example fine.

Again, there are no glues involved here as your nameservers names are not using the domains (site-net.example) you use them for.

Every domain has ns1 and ns2 for its nameservers. Therefore, I created glue records for each. Note that this means there are no glue records for ns3 and ns4.

Glues are needed ONLY if the nameserver is used. Otherwise many registries will not require there, or require it at host object creation but obviously not publish anything on their authoritative nameservers.

As for rules, there are too many, both at registrar and registry levels so without more details from you it is almost impossible to help you (and specifically since you also seem to ask for "all" TLDs):

There are, among others:

  • limit (min and max) on number of nameservers you can have per domain (and many small registries support only 2 nameservers per domain, not more)
  • and limit about number of IP addresses per nameservers
  • there can be delegation tests, where your nameservers are tested for correct configuration as the time you affect them (which can test if the IP are separate or not, etc.)
  • some registries are using hosts as objects, other as attributes (even if that is becoming the exception)
  • host IP addresses can be optional or required at host object creation or asked later if suddenly a name starts to be used where a glue is needed.
  • etc.

but I am looking for concrete information so that I know why I implemented it in this manner.

You are asking for contrete information based on details completely not concrete, so that is not possible. Also your registrar should be able to give more details specially for cases where you say "I am unable to assign" so it should be able to explain things for you with concrete details. Here it is not possible without more details from you.

0 + 0
Kevin F avatar
in flag
Kevin F
Thank you for the response. I am not comfortable without obfuscating the domains and IPs, so I ask for your forgiveness on that. I updated the question to include some dig outputs. As well, I mentioned what I meant by assign and why I think it is a glues issue. I concur with your assessment, there are no glues unless it is in-use, which is why I am puzzled as to why I got a glue records resource in response. That said, I have not been able to uncover possibilities for why setting the nameservers to ns3 and ns4 did not work.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.