[dns-operations] Registrar for .net and .com fails to accept an NS in .edu

Robert Edmonds edmonds at mycre.ws
Tue Dec 4 13:39:10 UTC 2018

John W.O'Brien wrote:
> Hi Duane,
> Thank you for chiming in on this. This information is convergent with
> what I've been learning via off-list responses and from tech support
> contacts at various organizations.
> A thing that is still causing me some grinding of gears---and this feels
> like I may be wandering into unknowing-n00b territory---is the use of
> the term "glue records" in this context. This is a Verisign business
> logic-based process step, not a DNS protocol-based one. Right?
> I have succeeded in delegating a .org name to a name server in each of
> the .edu and .net domains, and a .net name to a .org NS, and a .com name
> to a .us NS, and none of the receiving servers are registered. What then
> is the purpose of the consistency checks among COM, NET, and EDU from
> Verisign's perspective? Is there any possibility of relaxing or removing
> them? What harm is prevented that names and name servers in other TLDs
> remain susceptible to?

.com, .net, and .edu appear to share the exact same set of nameserver IP
addresses (e.g., a.gtld-servers.net = a.edu-servers.net =
In theory, a recursive resolver could notice that e.g. is
authoritative for .net and .edu, and allow it to provide glue records in
.edu when resolving a name in .net, rather than discarding those glue
records and independently resolving the addresses of the NSDNAMEs. In
practice, I haven't heard of a resolver that implements this kind of
bailiwick check and I would imagine most resolver implementations use
name-based bailiwick checks.

Robert Edmonds

More information about the dns-operations mailing list