How to test DNS glue record?

Question

Hello I have just set up a DNS server for my domain example.org with 2 name servers ns1.example.org and ns2.example.org. I have attempted to set up a glue record for ns1 and ns2 at my registrar.

It seems to work for now when I do a dig example.org but when I do a whois example.org it lists ns1.example.org and ns2.example.org but not their IP address which should be set up as a glue record.

So I am wondering how do I check for the existence of a glue record? Do I do it with whois? I have seen .com and .net whois records that have both the domain name as well as the IP address for the name servers, is .org different? What's the proper way to test this?

Thanks.

score 66 · Accepted Answer · edited Mar 03 '21 at 14:50

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

score 14 · Answer 2 · answered Dec 13 '14 at 13:32

dig +trace is generally the most straightforward way to inspect the chain of delegations. However, glue records are in the additional section and by default trace output does not include the additional section. You will need to specify explicitly that you want this included in the output.

dig +trace +additional example.com

If the idea is to check the sanity of the delegation chain you will probably want to see the authoritative NS records as well, in this case:

dig +trace +additional example.com NS

score 7 · Answer 3 · edited Jan 31 '22 at 05:26

7

To check if a GLUE record is setup:

dig +trace @a.root-servers.net ns0.nameserverhere.com

If the GLUE is setup you should see a record that ends with:

“Received XXX bytes from x.GTLD-SERVERS.NET.”

There are also sites which will do it for you, such as http://www.intodns.com/

edited Jan 31 '22 at 05:26

hbogert

450

answered May 16 '10 at 12:55

Coops

6,214

score 7 · Answer 4 · answered Dec 13 '14 at 11:40

Here is a little shell script which implements Alnitak's answer:

#!/bin/sh
S=${IFS}
IFS=.
for P in $1; do
  TLD=${P}
done
IFS=${S}

echo "TLD: ${TLD}"
DNSLIST=$(dig +short ${TLD}. NS)
for DNS in ${DNSLIST}; do
  echo "Checking ${DNS}"
  dig +norec +nocomments +noquestion +nostats +nocmd @${DNS} $1 NS
done

Pass the name of the domain as parameter:

./checkgluerecords.sh example.org

score 0 · Answer 5 · answered Feb 14 '17 at 09:45

You can also use whois, where the registry supports it, for directly checking the existent of glue for a given name server. For example, to check one of the name servers of serverfault.com:

whois ns-860.awsdns-43.net.

For a more concise response:

whois ns-860.awsdns-43.net. | grep "No match\|IP" | xargs

Note: This will certainly work for name servers in the .net and .com name space, but probably not for most other registries.

How to test DNS glue record?

5 Answers5

Linked