How to test DNS glue record?
Solution 1:
Glue records only ever exist in the parent zone of a domain name.
Hence in the case of your example.org
domain name, first find the .org
name servers:
% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.
Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS
records for your domain:
% dig +norec @a0.org.afilias-nst.info. example.org. NS
You should get back the correct list of NS
records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A
(and/or AAAA
) records appear in the "ADDITONAL SECTION".
Solution 2:
dig +trace
is generally the most straightforward way to inspect the chain of delegations. However, glue records are in the additional section and by default trace output does not include the additional section. You will need to specify explicitly that you want this included in the output.
dig +trace +additional example.com
If the idea is to check the sanity of the delegation chain you will probably want to see the authoritative NS
records as well, in this case:
dig +trace +additional example.com NS
Solution 3:
To check if a GLUE record is setup:
dig +trace @a.root-servers.net ns0.nameserverhere.com
If the GLUE is setup you should see a record that ends with:
“Recevied XXX bytes from x.GTLD-SERVERS.NET.”
There is also sites which will do it for you such as http://www.intodns.com/
Solution 4:
Here is a little shell script which implements Alnitak's answer:
#!/bin/sh
S=${IFS}
IFS=.
for P in $1; do
TLD=${P}
done
IFS=${S}
echo "TLD: ${TLD}"
DNSLIST=$(dig +short ${TLD}. NS)
for DNS in ${DNSLIST}; do
echo "Checking ${DNS}"
dig +norec +nocomments +noquestion +nostats +nocmd @${DNS} $1 NS
done
Pass the name of the domain as parameter:
./checkgluerecords.sh example.org
Solution 5:
You can also use whois
, where the registry supports it, for directly checking the existent of glue for a given name server. For example, to check one of the name servers of serverfault.com:
whois ns-860.awsdns-43.net.
For a more concise response:
whois ns-860.awsdns-43.net. | grep "No match\|IP" | xargs
Note: This will certainly work for name servers in the .net and .com name space, but probably not for most other registries.