Do glue records in non-circular dns-lookups speed up domain resolution or not?
Glue should only exist when the name servers for your domain are within the same domain name.
Technically this is not a circularity problem - those occur when two domains have NS
records that mutually point into the other domain name. These are now considered to be a configuration error.
Any A
record included along with the NS
records should be ignored unless it meets the same domain criteria above, since remembering "out of bailiwick glue" can lead to security issues such as the Kaminsky attack.
See also s5.4.1 of RFC 2181
[in other words - your ISP is essentially correct here, and the intodns.com advice is incorrect].
Yes, glue records do speed up domain resolution, and yes, your provider is wrong from a technical point of view with their answer (assuming you translated them right).
However, they are right about the approach. There is a lot of craze about glue records. Yes, they do save you one look up (sometimes), amounting to an outstanding 1-200 bytes and (rarely) some latency. However, the complication incurred by abusing glue records for performance improvement dwarfs the gainings.
Make sure you refer your provider's nameservers with the names they recommend (ns1.they.com or a.ns or whatever), then just stop worrying.
Other answers forget about one thing, far more important than speed: correctness.
If example.com
has ns1.example.com
as nameserver, on a query for NS
the registry will send ns1.example.com
in the answer section, and the glue records (A
and AAAA
) in the DNS packet additional section.
The resolver getting those CAN use the glue record because it sees that it is for a name the registry is authoritative on, so the caller can believe this result.
On the other end, if the nameserver was ns1.provider.example.
(a complete different TLD in another registry), even if the .com
registry would have sent an A
record for that name in the additional section, any security aware resolver will refuse to take it into account because it is a piece of information that the sender (registry) is not authoritative for.
Otherwise, imagine, at each step, if any server can send you A
records for any related name to your query, in any other zone and having the caller accept them... That makes hijacking far too easy.
(and DNSSEC does not help here because only content in the ANSWER section is signed, glue records in ADDITIONAL section are not)