DNS Glue Records – Route 53 Domain/Godaddy Reject

amazon-route53amazon-web-servicesdomain-name-systemwindows-dns

We have a domain muzzard.com that is DNS hosted with AWS Route 53

AWS has give us the following nameservers

ns-1996.awsdns-57.co.uk,ns-1368.awsdns-43.org,ns-777.awsdns-33.net,ns-436.awsdns-54.com

These have been added to muzzard.com as its namesevers at MyDomain.com which is the ultimate registrar for muzzard.com

I can see them in the DNS:

> set querytype=all
> muzzard.com
Server:  ns-1996.awsdns-57.co.uk
Address:  205.251.199.204

muzzard.com     internet address = 54.194.110.136
muzzard.com     nameserver = ns-1368.awsdns-43.org
muzzard.com     nameserver = ns-1996.awsdns-57.co.uk
muzzard.com     nameserver = ns-436.awsdns-54.com
muzzard.com     nameserver = ns-777.awsdns-33.net
muzzard.com
        primary name server = ns-1996.awsdns-57.co.uk
        responsible mail addr = awsdns-hostmaster.amazon.com
        serial  = 1
        refresh = 7200 (2 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 86400 (1 day)
muzzard.com     MX preference = 10, mail exchanger = mail.muzzard.com
mail.muzzard.com        internet address = 159.8.131.164

In there I have added 2 A records into the route 53 control panel:

ns-primary.muzzard.com
&
ns-secondary.muzzard.com

These have Windows2012 DNS software loaded and will respond to requests.

We want to use muzzard.com as DNS Nameserver for another domain teachers-direct.co.uk, this is hosted at Godaddy.

I am trying to add ns-primary.muzzard.com & ns-secondary.muzzard.com at Godaddy control panel but is rejecting saying "You must enter a registered nameserver."

There are existing records for ns-americas,ns-emea and ns-apac.muzzard.com (that no longer exist)

When I add the new nameserver it fails with this error message:

And yet the nameservers are in the DNS if I ping them.

C:\Users\Karl>ping ns-primary.muzzard.com

Pinging ns-primary.muzzard.com [159.8.131.164] with 32 bytes of data:
Reply from 159.8.131.164: bytes=32 time=56ms TTL=115

Here is a screen capture of the DNS setting on ns-primary.muzzard.com

And ns-primary responds correctly using nslookup with the correct IP for the given hostname.

C:\Users\Karl>nslookup
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> lserver ns-primary.muzzard.com
Default Server:  ns-primary.muzzard.com
Address:  159.8.131.164

> www.teachers-direct.co.uk
Server:  ns-primary.muzzard.com
Address:  159.8.131.164

Name:    www.teachers-direct.co.uk
Address:  176.34.226.81

I believe this is due to missing "glue" records at muzzard.com

Where would I add these ns records?

Update 5 October 2016

I had to change the nameservers for this domain 'teachers-direct' to a set that worked as it is a live site with a lot of traffic.

Currently has mentioned in comment I have another domain in the same situation that I have not moved to working DNS servers.

This was the response from the tech team for that domain – 'carib.com'

"Our upper level domains team has further investigated and they have
find out that the name servers ns-primary.muzzard.com and
ns-secondary.muzzard.com do not exist at the registry. They have told
me that the owner of the domain muzzard.com will need to add host
entries for these. I think that you can pass this information to the
support of muzzard.com registrar. Please let me know if more details
are required and I will try to obtain more technical details. If
there’s anything else at all I can do for you, please let me know and
I’ll be very happy to help. Best wishes "

Best Answer

I disagree with Florin. Glue is only needed to address chicken and egg scenarios in the DNS. In this case, no glue is required at all because you are attempting to use nameservers ending in com. for a co.uk. domain.

I've taken a look at ns-primary.muzzard.com and ns-secondary.muzzard.com. I can find nothing wrong with these A records, or the referrals leading up to them. Both of those nameservers are properly returning authoritative responses for teachers-direct.co.uk, and the NS records are set up properly. (pointing at the nameservers you are attempting to define in the control panel)

$ dig +noall +comments +norecurse @ns-primary.muzzard.com teachers-direct.co.uk SOA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59089
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

$ dig +noall +comments +norecurse @ns-secondary.muzzard.com teachers-direct.co.uk SOA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

$ dig +short +norecurse @ns-primary.muzzard.com teachers-direct.co.uk NS
ns-primary.muzzard.com.
ns-secondary.muzzard.com.

$ dig +short +norecurse @ns-secondary.muzzard.com teachers-direct.co.uk NS
ns-secondary.muzzard.com.
ns-primary.muzzard.com.

At this point, I'd encourage you to attempt applying these nameservers again. It's possible that you did not have everything properly configured during your initial attempt, which caused the recursive DNS servers used by GoDaddy's validation check to cache (or negative cache) responses that would cause this check to continue failing. If it still isn't working, the ever-reliable Håkan Lindqvist will probably find this question at some point and set matters right.

Subordinate identification

Apex level NS records are used by a master server to identify its subordinates. When data on an authoritative nameserver changes, it will advertise this via DNS NOTIFY messages (RFC 1996) to all of its peers on that list. Those servers will in turn call back with a request for the SOA record (which contains the serial number), and make a decision on whether to pull down a more recent copy of that zone.

It's possible to send these messages to servers not listed in the NS section, but this requires server specific configuration directives (such as ISC BIND's also-notify directive). The apex NS records comprise the basic list of servers to notify under a default configuration.
It's worth noting that the secondary servers will also send NOTIFY messages to each other based on these NS records, usually resulting in logged refusals. This can be disabled by instructing servers to only send notifies for zones they are masters for (BIND: notify master;), or to skip NS based notifies entirely in favor of notifies explicitly defined in the configuration. (BIND: notify explicit;)

Authoritative definition

The question above contained a fallacy:

They are not used by caching DNS servers in order to determine the authoritative servers for the domain. This is handled by nameserver glue, which is defined at the registrar level. The registrar never uses this information to generate the glue records.

This is an easy conclusion to arrive at, but not accurate. The NS records and glue record data (such as that defined within your registrar account) are not authoritative. It stands to reason that they cannot be considered "more authoritative" than the data residing on the servers that authority is being delegated to. This is emphasized by the fact that referrals do not have the aa (Authoritative Answer) flag set.

To illustrate:

$ dig @a.gtld-servers.net +norecurse +nocmd example.com. NS
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14021
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.                   IN      NS

;; AUTHORITY SECTION:
example.com.            172800  IN      NS      a.iana-servers.net.
example.com.            172800  IN      NS      b.iana-servers.net.

;; ADDITIONAL SECTION:
a.iana-servers.net.     172800  IN      A       199.43.135.53
a.iana-servers.net.     172800  IN      AAAA    2001:500:8f::53
b.iana-servers.net.     172800  IN      A       199.43.133.53
b.iana-servers.net.     172800  IN      AAAA    2001:500:8d::53

Note the lack of aa in the flags for the above reply. The referral itself is not authoritative. On the other hand, the data on the server being referred to is authoritative.

$ dig @a.iana-servers.net +norecurse +nocmd example.com. NS
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2349
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.                   IN      NS

;; ANSWER SECTION:
example.com.            86400   IN      NS      a.iana-servers.net.
example.com.            86400   IN      NS      b.iana-servers.net.

That said, this relationship can get very confusing as it is not possible to learn about the authoritative versions of these NS records without the non-authoritative NS records defined on the parent side of the referral. What happens if they disagree?

The short answer is "inconsistent behavior".
The long answer is that nameservers will initially stub everything off of the referral (and glue) on an empty cache, but those NS, A, and AAAA records may eventually be replaced when they are refreshed. The refreshes occur as the TTLs on those temporary records expire, or when someone explicitly requests the answer for those records.
A and AAAA records for out of zone data (i.e. the com nameservers defining glue for data outside of the com zone, like example.net) will definitely end up being refreshed, as it is a well-understood concept that a nameserver should not be considered an authoritative source of such information. (RFC 2181)
When values of the NS records differ between the parent and child sides of the referral (such as the nameservers entered into the registrar control panel differing from the NS records that live on those same servers), the behaviors experienced will be inconsistent, up to and including child NS records being ignored completely. This is because the behavior is not well defined by the standards, and the implementation varies between different recursive server implementations. In other words, consistent behavior across the internet can only be expected if the nameserver definitions for a domain are consistent between the parent and child sides of a referral.

The long and short of it is that recursive DNS servers throughout the internet will bounce back between destinations if the records defined on the parent side of the referral do not agree with the authoritative versions of those records. Initially the data present in the referral will be preferred, only to be replaced by the authoritative definitions. Since caches are constantly being rebuilt from scratch across the internet, it is impossible for the internet to settle on a single version of reality with this configuration. If the authoritative records are doing something illegal per the standards, such as pointing NS records at aliases defined by a CNAME, this gets even more difficult to troubleshoot; the domain will alternate between working and broken for software that rejects the violation. (i.e. ISC BIND / named)

RFC 2181 §5.4.1 provides a ranking table for the trustworthiness of this data, and makes it explicit that cache data associated with referrals and glue cannot be returned as the answer to an explicit request for the records they refer to.

5.4.1. Ranking data

   When considering whether to accept an RRSet in a reply, or retain an
   RRSet already in its cache instead, a server should consider the
   relative likely trustworthiness of the various data.  An
   authoritative answer from a reply should replace cached data that had
   been obtained from additional information in an earlier reply.
   However additional information from a reply will be ignored if the
   cache contains data from an authoritative answer or a zone file.

   The accuracy of data available is assumed from its source.
   Trustworthiness shall be, in order from most to least:

     + Data from a primary zone file, other than glue data,
     + Data from a zone transfer, other than glue,
     + The authoritative data included in the answer section of an
       authoritative reply.
     + Data from the authority section of an authoritative answer,
     + Glue from a primary zone, or glue from a zone transfer,
     + Data from the answer section of a non-authoritative answer, and
       non-authoritative data from the answer section of authoritative
       answers,
     + Additional information from an authoritative answer,
       Data from the authority section of a non-authoritative answer,
       Additional information from non-authoritative answers.

   <snip>

   Unauthenticated RRs received and cached from the least trustworthy of
   those groupings, that is data from the additional data section, and
   data from the authority section of a non-authoritative answer, should
   not be cached in such a way that they would ever be returned as
   answers to a received query.  They may be returned as additional
   information where appropriate.  Ignoring this would allow the
   trustworthiness of relatively untrustworthy data to be increased
   without cause or excuse.

Best Answer

Related Solutions

How to Set an MX Record in Route53 for a GoDaddy Domain

DNS – Role of NS Records at Domain Apex

Subordinate identification

Authoritative definition

Related Topic