Why does dig +trace seem to ignore the DNS glue records

digdomain-name-systemglue-record

Here are my questions:

Why does dig +trace ignore the Glue Records?
Is this behavior specific to dig or dig +trace, or does a recursive name server also "manually verify" glue records it receives?

Here is the longer explanation:

This is the full capture of the DNS transaction that that prompted these questions.

I am using dig +trace to follow the DNS process for a simple A record resolution for www.pizza.com. As, expected, the first request was to my DNS server, looking for the Root Nameservers (Packet #1). My DNS Server then responds with the list of all 13 Name Servers (Packet #2):

Note that in Packet#2, there are no Additional Records included. Which prompts my client to look up the A record for each of the provided Root name servers. Which happens in packets 3 thru 28:

So far, this is expected. But next it gets interesting.

Packet 29 is my client, making a request to 192.5.5.241 (f.root-servers.net), looking for the A record for www.pizza.com. Obviously, the Root NS doesn't know the A record, so instead provides the .com TLD Name Servers' FQDNs (a.gtld-servers.net, b.gtld-servers.net, etc). Notice, the F Root NS also provides the "Additional Records", which are the A records corresponding to each of the .com TLD Name Server FQDNs:

What follows next is what my question revolves around. Even though my client received the A records correlating to the .com TLD name servers. It still decided to make an A record requests for each of the .com TLD name servers (packets 31-56):

The same thing happens just a bit further down (packets 57-66) when my client asks the .com TLD name servers for the A record for www.pizza.com, and receives the Authoritative NS records for the Pizza.com domain. The .com TLD Name servers provide the glue records, but my client still goes out and manually resolves each NS server's A record manually.

So my questions are:

Why does dig +trace ignore the Glue Records?
Is this behavior specific to dig or dig +trace, or does a recursive name server also "manually verify" glue records it receives?

I am using this version of Dig:
DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1

And ran this command:
$ dig www.pizza.com +trace -4

Edit 1: Added questions to the top as well, to make it easier to understand what I am inquiring about

Edit 2: This question is similar to mine, but not exactly the same. In this question, @Andrew B confirms the same behavior I am seeing:

+trace cheated and consulted the local resolver to obtain the IP address of the next hop nameserver instead of consulting the glue.

But my question is specifically why does dig +trace do that? What is the benefit? What is it trying to provide? It seems just like more work, that can sometimes even cause an inaccuracy in how dig resolves an address and how actual DNS resolves an address (as indicated by the other question).

The other question does seem to answer my second question, however. It seems this behavior of ignoring the glue records is specific to dig, and not how a "normal" recursive name server would act.

Best Answer

The official documentation says that dig can use glue records for subsequent queries but may revert to recursive queries if glue records are not provided [1]:

dig may still send queries to the servers listed in /etc/resolv.conf when using +trace When following delegation iteratively as specified with the +trace option, dig will begin by requesting the NS records for the servers authoritative for root ("."). These may or may not be supplied with glue - that is A and AAAA records that can be used for the next queries dig has to send. When there is no glue provided, either on the initial query for the root nameservers, or later on when following delegation, dig will revert to recursively querying the servers listed in /etc/resolv.conf to obtain the needed A/AAAA RRsets.

Specifying @server does not change this behaviour - the server specified in this way will only be queried for the NS records for the servers authoritative for root (".").

It might be wrong documentation or a bug in dig.

[1] https://kb.isc.org/docs/aa-00208

Related Solutions

Domain – How to test DNS glue record

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

When does the TLD having glue records for the nameservers save DNS lookups

To add to Mit's answer. The best practice is to only use Glue Records to resolve those circular dependencies. See section 2.3 of RFC1912: http://www.faqs.org/rfcs/rfc1912.html

To quote:

Some people get in the bad habit of putting in a glue record whenever
they add an NS record "just to make sure". Having duplicate glue
records in your zone files just makes it harder when a nameserver moves to a new IP address, or is removed. You'll spend hours trying to figure out why random people still see the old IP address for some host, because someone forgot to change or remove a glue record in some other file. Newer BIND versions will ignore these extra glue records in local zone files.

Note that last bit if you're using BIND. Also, I think most DNS clients will ignore extra-domain glue records, which would explain what you're seeing.

Edit to follow up on comment.

With TLD glue records, you'd typically provide them to your registrar, but otherwise the same rules apply. I run domains in .co.uk and .com. I also have name servers in both of those TLDs that are authoritative for all of my domains.

If I run dig ns co.uk and dig ns com, I can see the big heap of servers that are authoritative for those TLDs. If I pick one of those listed .com servers and dig @<server> ns <mydomain>.com it'll return all four name servers for my domain, but only the glue records of the name servers in the same TLD (supplied as ADDITIONALs), which is what you're describing.

If I run dig @<co.uk server> <myotherdomain>.co.uk, I'll again get all four name servers, but this time accompanied by the glue records for the 3 of them in the .co.uk TLD.

This is all as it should be. If all of your name servers are in the .us TLD, then clients looking for your .com domains will be told the domain names of your name servers by the .com servers; then the clients will perform another query on the .us servers to find their IPs. That extra round trip might sound inefficient, but it only has to happen once per TTL period per client. (typically 48 hours for TLD records.)

(Apologies if you already know all of the above). To answer the original question. Glue records are not intended to save DNS lookups. They're necessary to prevent infinite loops.

Edit 2

Sorry for waffling around the issue. I see what you mean, now (Good diagrams, by the way).

My understanding of how clients should behave is that if one has the opportunity to get authoritative RRs, then it should; but in this case, the client is asking the name server for its own A records, which is pointless, since the Glue is those A records.

I'm reaching the limits of my knowledge here, but I can't think of any situation why a client would need to do this. I'm guessing here, but perhaps the client implementation needs to check that the server is definitely authoritative for ns_.host.us, even when that means what looks like a pointless, extra round-trip.

Try a dig +trace www.example.com to see if it does the same thing. I'd be curious to see if it does the same lookup if the original query was for a _.host.us name, too.

Best Answer

Related Solutions

Domain – How to test DNS glue record

When does the TLD having glue records for the nameservers save DNS lookups

Related Topic