Glue record limitations for authoritative nameservers
I am trying to set up some nameservers for use by many domains, but there appears to be some issues with my set-up and I am not clear on what needs to be fixed to get it to work.
For my nameservers, it is set up as follows:
- I have several nameserver domains,
ns-com.example,ns-net.example,ns-org.example. - I have several nameservers. The nameservers correspond to their own subdomain.
ns1 => 192.0.2.123
ns2 => 192.0.2.124
ns3 => 192.0.2.125
ns4 => 192.0.2.126
- Every domain has ns1 and ns2 for its nameservers. Therefore, I created glue records for each. Note that this means there are no glue records for ns3 and ns4. Example dig output from the gTLD server:
; <<>> DiG 9.16.1-Ubuntu <<>> +norec @c.gtld-servers.net. ns-net.example.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11669
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns-net.example. IN A
;; AUTHORITY SECTION:
ns-net.example. 172800 IN NS ns1.ns-net.example.
ns-net.example. 172800 IN NS ns2.ns-net.example.
;; ADDITIONAL SECTION:
ns1.ns-net.example. 172800 IN A 192.0.2.123
ns2.ns-net.example. 172800 IN A 192.0.2.124
;; Query time: 23 msec
;; SERVER: 192.26.92.30#53(192.26.92.30)
;; WHEN: Mon Dec 13 14:34:20 EST 2021
;; MSG SIZE rcvd: 109
- If one were to perform an NS query, every nameserver would respond with the corresponding ns1 and ns2 answers with the IP addresses listed in the additional section.
; <<>> DiG 9.16.1-Ubuntu <<>> +norec @ns1.ns-net.example. ns-net.example. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16843
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d757529672f25fcb (echoed)
;; QUESTION SECTION:
;ns-net.example. IN NS
;; ANSWER SECTION:
ns-net.example. 14400 IN NS ns1.ns-net.example.
ns-net.example. 14400 IN NS ns2.ns-net.example.
;; ADDITIONAL SECTION:
ns1.ns-net.example. 300 IN A 192.0.2.123
ns2.ns-net.example. 300 IN A 192.0.2.124
;; Query time: 11 msec
;; SERVER: 192.0.2.123#53(192.0.2.123)
;; WHEN: Mon Dec 13 14:36:56 EST 2021
;; MSG SIZE rcvd: 191
Performing a dig query to any of the nameservers for any of the other nameservers will return the IP as expected:
; <<>> DiG 9.16.1-Ubuntu <<>> +norec @ns1.ns-net.example. ns3.ns-net.example.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63226
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5786fc62c3f155e8 (echoed)
;; QUESTION SECTION:
;ns3.ns-net.example. IN A
;; ANSWER SECTION:
ns3.ns-net.example. 300 IN A 192.0.2.125
;; Query time: 15 msec
;; SERVER: 192.0.2.123#53(192.0.2.123)
;; WHEN: Mon Dec 13 14:39:46 EST 2021
;; MSG SIZE rcvd: 87
Now for the problem:
I have a domain site-net.example for which I would like to use my nameservers. I can assign ns1.ns-net.example and ns2.ns-net.example fine. However, I am unable to assign ns3.ns-net.example and ns4.ns-net.example. I can assign ns3.ns-org.example and ns4.ns-org.example.
Why is this? My presumption is that the problem is caused by the non-existence of glue records for ns3 and ns4 (since .com and .net share gTLD servers), but as far as I am aware this isn't a prerequisite when the nameserver is a different domain.
If this is a requirement, I would like to know how one tests for this situation. ns3 and ns4 are not listed as nameservers for the nameserver domains, so if they existed those glue records would not be returned when running dig against the gTLD servers.
As well, if this is the case, does this apply to all TLDs? I can add an additional limitation where if the domain is a .com TLD to also avoid the ns3/4 of the .net TLD and vice versa, but I am looking for concrete information so that I know why I implemented it in this manner.
Edit: added some (obfuscated) dig outputs.
As well, there was a request to clarify what I mean by 'assign' and why I think it is an issue with glues. I use Google Domains for my test site's registrar. When I try to set the domain's custom nameservers to ns3.ns-net.example and ns4.ns-net.example, I get an error "The registry rejected the nameservers" with a link to the Google Domains Glue Records resource.
First, your question would be FAR more useful and easy to reply if you give real names instead of obfuscating everything (and I edited your obfuscations).
Especially since:
- your case is NOT about glues. The nameservers names you are using are not "under" the domains using them, so there are no glues (exactly where things would be simpler if you gave real names); glues are returned by registry authoritative nameserver ONLY when needed (that is when querying for
NSrecords on the base domain under which the nameserver names are), and should not be returned for any other random domain using those nameservers (and any recursive nameserver would ignore them anyway, for security reason to avoid cache poisoning) - you say: "However, I am unable to assign" which is unclear. What did you do exactly? Where? What errors did you get? etc.
Like for:
If one were to perform an NS query, every nameserver would respond with the corresponding ns1 and ns2 answers with the IP addresses listed in the additional section.
Instead of this, give real dig queries showing exactly what you did, and the results. You may also want to look at DNSViz online, a very good troubleshooting tool.
I have a domain site-net.example for which I would like to use my nameservers. I can assign ns1.ns-net.example and ns2.ns-net.example fine.
Again, there are no glues involved here as your nameservers names are not using the domains (site-net.example) you use them for.
Every domain has ns1 and ns2 for its nameservers. Therefore, I created glue records for each. Note that this means there are no glue records for ns3 and ns4.
Glues are needed ONLY if the nameserver is used. Otherwise many registries will not require there, or require it at host object creation but obviously not publish anything on their authoritative nameservers.
As for rules, there are too many, both at registrar and registry levels so without more details from you it is almost impossible to help you (and specifically since you also seem to ask for "all" TLDs):
There are, among others:
- limit (min and max) on number of nameservers you can have per domain (and many small registries support only 2 nameservers per domain, not more)
- and limit about number of IP addresses per nameservers
- there can be delegation tests, where your nameservers are tested for correct configuration as the time you affect them (which can test if the IP are separate or not, etc.)
- some registries are using hosts as objects, other as attributes (even if that is becoming the exception)
- host IP addresses can be optional or required at host object creation or asked later if suddenly a name starts to be used where a glue is needed.
- etc.
but I am looking for concrete information so that I know why I implemented it in this manner.
You are asking for contrete information based on details completely not concrete, so that is not possible. Also your registrar should be able to give more details specially for cases where you say "I am unable to assign" so it should be able to explain things for you with concrete details. Here it is not possible without more details from you.