Do glue records in non-circular dns-lookups speed up domain resolution or not?

domain-name-system nameserver resolution

Glue should only exist when the name servers for your domain are within the same domain name.

Technically this is not a circularity problem - those occur when two domains have NS records that mutually point into the other domain name. These are now considered to be a configuration error.

Any A record included along with the NS records should be ignored unless it meets the same domain criteria above, since remembering "out of bailiwick glue" can lead to security issues such as the Kaminsky attack.

See also s5.4.1 of RFC 2181

[in other words - your ISP is essentially correct here, and the intodns.com advice is incorrect].


Yes, glue records do speed up domain resolution, and yes, your provider is wrong from a technical point of view with their answer (assuming you translated them right).

However, they are right about the approach. There is a lot of craze about glue records. Yes, they do save you one look up (sometimes), amounting to an outstanding 1-200 bytes and (rarely) some latency. However, the complication incurred by abusing glue records for performance improvement dwarfs the gainings.

Make sure you refer your provider's nameservers with the names they recommend (ns1.they.com or a.ns or whatever), then just stop worrying.


Other answers forget about one thing, far more important than speed: correctness.

If example.com has ns1.example.com as nameserver, on a query for NS the registry will send ns1.example.com in the answer section, and the glue records (A and AAAA) in the DNS packet additional section.

The resolver getting those CAN use the glue record because it sees that it is for a name the registry is authoritative on, so the caller can believe this result.

On the other end, if the nameserver was ns1.provider.example. (a complete different TLD in another registry), even if the .com registry would have sent an A record for that name in the additional section, any security aware resolver will refuse to take it into account because it is a piece of information that the sender (registry) is not authoritative for.

Otherwise, imagine, at each step, if any server can send you A records for any related name to your query, in any other zone and having the caller accept them... That makes hijacking far too easy.

(and DNSSEC does not help here because only content in the ANSWER section is signed, glue records in ADDITIONAL section are not)

Related

OpenBSD has open ports in default installation
extreme slowness with a remote database in Drupal
Is it possible to ping through a NAT?
How to get given users "Desktop Path"
What is "deterministic latency"
How do I track whether a email was successful among thousands (IIS 6, .NET 3.5)
How Exactly Are SSH Keys Generated?
Can a private MSMQ queue be renamed?
10 GigE interfaces limits single connection throughput to 1 Gb on a ProCurve 4208vl
powershell or bat - counting files in all directories and subdirec
DNS: how to get local server to superimpose results over authoritative server?
how do I find where apt-get installs files belonging to a package