When does the TLD having glue records for the nameservers save DNS lookups?
My understanding is that if I have the nameservers for both example1.com and example2.us set to ns1.example2.us and ns2.example2.us, looking up www.example1.com will:
- look up example1.com to find its nameservers, yielding no glue records (.com registry won't provide glue for .us domains)
- look up ns1.example2.us and ns2.example2.us (necessarily both?), each of which will:
- query example2.us, yielding glue records for ns1.example2.us and ns2.example2.us
- apparently query ns1.example2.us and/or ns2.example2.us to get the address(es) for ns1.example2.us and/or ns2.example2.us (is this correct? this seemed to be my experience)
- query ns1.example2.us and/or ns2.example2.us to get the address for www.example1.com
If instead, we have the nameservers for both example1.com and example2.com set to ns1.example2.com and ns2.example2.com, looking up www.example1.com will:
- look up example1.com to find its nameservers, yielding glue records for ns1.example2.com and ns2.example2.com
- query ns1.example2.com and/or ns2.example2.com to get the address for www.example1.com
Am I correct that in this case, there are only these two steps in the lookup? Specifically, I seem to be experiencing a volume of lookups in example2.com that suggests that lookups for example1.com are not always using the glue records, resulting in an extra step where ns1.example2.com and/or ns2.example2.com are looked up by querying ns1.example2.com and/or ns2.example2.com.
(edited to highlight my minor questions buried in the first example and to try to clarify my primary question at the end.)
Maybe some diagrams will help, since I think I'm explaining this badly. Here's my understanding of what should happen when looking up www.example.com if example.com's nameservers are ns1.host.us and ns2.host.us:
The third lookup step seems to be happening nearly universally, but doesn't entirely make sense to me. Should that third step really be there?
Here's my understanding of what should happen when looking up www.example.com if example.com's nameservers are ns1.host.com and ns2.host.com:
Is my understanding of this case correct?
Here's what I think might be happening with around 1/3 of the lookups for www.example.com with nameservers ns1.host.com and ns2.host.com (based on the number and timing of queries to the nameservers for various domains):
Is this actually possible and/or does it represent a badly-behaved client?
To add to Mit's answer. The best practice is to only use Glue Records to resolve those circular dependencies. See section 2.3 of RFC1912: http://www.faqs.org/rfcs/rfc1912.html
To quote:
Some people get in the bad habit of putting in a glue record whenever
they add an NS record "just to make sure". Having duplicate glue
records in your zone files just makes it harder when a nameserver moves to a new IP address, or is removed. You'll spend hours trying to figure out why random people still see the old IP address for some host, because someone forgot to change or remove a glue record in some other file. Newer BIND versions will ignore these extra glue records in local zone files.
Note that last bit if you're using BIND. Also, I think most DNS clients will ignore extra-domain glue records, which would explain what you're seeing.
Edit to follow up on comment.
With TLD glue records, you'd typically provide them to your registrar, but otherwise the same rules apply. I run domains in .co.uk
and .com
. I also have name servers in both of those TLDs that are authoritative for all of my domains.
If I run dig ns co.uk
and dig ns com
, I can see the big heap of servers that are authoritative for those TLDs. If I pick one of those listed .com
servers and dig @<server> ns <mydomain>.com
it'll return all four name servers for my domain, but only the glue records of the name servers in the same TLD (supplied as ADDITIONALs), which is what you're describing.
If I run dig @<co.uk server> <myotherdomain>.co.uk
, I'll again get all four name servers, but this time accompanied by the glue records for the 3 of them in the .co.uk
TLD.
This is all as it should be. If all of your name servers are in the .us
TLD, then clients looking for your .com
domains will be told the domain names of your name servers by the .com
servers; then the clients will perform another query on the .us
servers to find their IPs. That extra round trip might sound inefficient, but it only has to happen once per TTL period per client. (typically 48 hours for TLD records.)
(Apologies if you already know all of the above). To answer the original question. Glue records are not intended to save DNS lookups. They're necessary to prevent infinite loops.
Edit 2
Sorry for waffling around the issue. I see what you mean, now (Good diagrams, by the way).
My understanding of how clients should behave is that if one has the opportunity to get authoritative RRs, then it should; but in this case, the client is asking the name server for its own A records, which is pointless, since the Glue is those A records.
I'm reaching the limits of my knowledge here, but I can't think of any situation why a client would need to do this. I'm guessing here, but perhaps the client implementation needs to check that the server is definitely authoritative for ns_.host.us, even when that means what looks like a pointless, extra round-trip.
Try a dig +trace www.example.com
to see if it does the same thing. I'd be curious to see if it does the same lookup if the original query was for a _.host.us name, too.
Name servers in delegations are identified by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. If the name given in the delegation is a subdomain of the domain for which the delegation is being provided, there is a circular dependency. In this case the nameserver providing the delegation must also provide one or more IP addresses for the authoritative nameserver mentioned in the delegation. This information is called glue. The delegating name server provides this glue in the form of records in the additional section of the DNS response, and provides the delegation in the answer section of the response.
For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the nameserver for the org top level domain includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of domain's authoritative servers, which allows it to complete the DNS query. This might fix the issue.