[dns-operations] Registrar for .net and .com fails to accept an NS in .edu

Mariano Absatz - gmail el.baby at gmail.com
Tue Dec 4 14:27:29 UTC 2018

Mariano Absatz - El Baby

On Tue, 4 Dec 2018 at 09:50, John W.O'Brien <obrienjw at upenn.edu> wrote:

> Hi Duane,
> Thank you for chiming in on this. This information is convergent with
> what I've been learning via off-list responses and from tech support
> contacts at various organizations.
> A thing that is still causing me some grinding of gears---and this feels
> like I may be wandering into unknowing-n00b territory---is the use of
> the term "glue records" in this context. This is a Verisign business
> logic-based process step, not a DNS protocol-based one. Right?

Hi John,

"glue record" /is/ a DNS protocol-based term (and an old one indeed).

You need a glue record when you do in-zone delegations, for example, if
you want to delegate the domain example.com to ns1.example.com and
ns2.example.com if it weren't for the glue records you get yourself into
a chicken-and-egg problem.

If you just put the delegation (NS) records in the .com authoritative
servers, a resolver querying any of those about www.example.com would
get a response with AUTHORITY set to ns1.example.com and ns2.example.com.

Then the resolver tries to resolve ns1.example.com and, querying the
.com name servers it gets a response with AUTHORITY set to
ns1.example.com and ns2.example.com.

To find out the IP address of ns1.example.com you first need to know the
IP address of ns1.example.com. Not good.

Glue records are "A" or "AAAA" records for a child (delegated) zone that
you put in the parent zone regardles that the parent has no longer
authority on the now delegated zone. Even when these records are not
authoritative in the parent server, they allow you to break the circle.

In this case, in the .com zone you'd put the "A" and "AAAA" records for
ns1.example.com and ns2.example.com. For this to happen, you must inform
your registrar about the IP addresses of your in-zone name servers. It's
not a Verisign specific issue. Any registry or registrar should allow
for glue records.

Given your specific case, my guess is that Verisign may be overzealous
requiring anyone to register any authoritative name server within their
TLDs that serves any domain within their TLDs.

If uphs{1,2,3}.uphs.upenn.edu are *not* used to serve anything under
upenn.edu glue records are not needed.

What's more, if uphs{1,2,3}.uphs.upenn.edu were to serve uphs.upenn.edu,
you could place glue records for these servers in the upen.edu name
servers (assuming the name servers for upenn.edu are not within
uphs.upenn.edu), but my guess is that Verisign is overzealous just to
prevent you from shooting your own foot (that is you, me or any DNS

> I have succeeded in delegating a .org name to a name server in each of
> the .edu and .net domains, and a .net name to a .org NS, and a .com name
> to a .us NS, and none of the receiving servers are registered. What then
> is the purpose of the consistency checks among COM, NET, and EDU from
> Verisign's perspective? Is there any possibility of relaxing or removing
> them? What harm is prevented that names and name servers in other TLDs
> remain susceptible to?
> On 2018/12/03 16:55, Wessels, Duane wrote:
> > John,
> >
> > .com, .net, and .edu share the same backend registry database.  The
> message that you're getting when attempting to register the .net and .com
> domains is saying that there should be glue records for uphs{1,2,3}.
> uphs.upenn.edu in that shared database.
> >
> > So you would have to go to your .edu registrar and add these hosts under
> the upenn.edu account in order to make it work.
> >
> > DW
> >
> >
> > On 12/3/18, 10:35 AM, "dns-operations on behalf of John W.O'Brien" <
> dns-operations-bounces at dns-oarc.net on behalf of obrienjw at upenn.edu>
> wrote:
> >
> >     Good day DNS Operators,
> >
> >     I am having some trouble making uphs{1,2,3}.uphs.upenn.edu
> authoritative
> >     for a number of domains in net and com. The registrar claims that the
> >     name servers have to be "registered" but doesn't appear to provide a
> >     mechanism for doing so. There is already appropriate glue in edu for
> the
> >     upenn.edu NS, and in upenn.edu for the uphs.upenn.edu NS, and they
> are
> >     all happily answering queries for those domains. I'm struggling to
> >     understand what it means to be registered and how to do it.
> >
> >     Could someone wiser than I in the ways of registrars and TLD
> operators
> >     shed some light on my predicament?
> --
> John W. O'Brien
> University of Pennsylvania
> OpenPGP key ID:
>     0xD97D135B02EC753B
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181204/8fbab1ae/attachment.html>

More information about the dns-operations mailing list