[dns-operations] Verisign won't delete obsolete glue records?

Brian Dickson brian.peter.dickson at gmail.com
Tue Mar 2 00:15:03 UTC 2021

On Mon, Mar 1, 2021 at 3:28 PM Doug Barton <dougb at dougbarton.email> wrote:

> I'm being told something by my registrar which I find impossible to
> believe, but they keep telling me that they have accurately transmitted
> my request, and that the answer is no. "Let me 'splain. No, there is too
> much. Let me sum up."

> So what am I missing here? I know that in the past it was possible, and
> in fact desirable, to remove those obsolete glue records, but now it's
> impossible to do it?

Not speaking with knowledge of the specifics, only concerning the general
The RRR (registry/registrar/registrant) system is somewhat complex, and
The common language used, EPP, is capable of representing relationships,
but is restrictive.

The root problem is the object model (tied to the database nature of
A glue record is basically a host record, with a name and IP address(es).
Domains (registered with the registry, belonging to registrants) have their
delegations represented as references to host records.

This is where things break down: the delegation is to the object, not the

If you change your delegations to a different name, that will either change
the reference to a different object, or possibly create a new object and
use that for its delegation reference.

The old object (with the original name) still exists.

If (and ONLY if) there are no other references (i.e. delegations) to that
object, can the object be deleted.

That rule is enforced, and is tied to the database model for hosts and

You do generally have the option of renaming the object, and there are some
interesting options available.

One is to change the name to an off-TLD name, in which case the
corresponding IP address(es) are removed.

Using an off-TLD name that is deliberately and permanently unresolvable is
a nice, clean way of "breaking" the other domains, who should really not
have been using your name server as their name server without your

An example name would be "SOME_RANDOM_VALUE".empty.as112.arpa
(empty.as112.arpa is a zone intended to never have any non-apex records, as
the name suggests, and its existence is defined for that purpose in RFC

For "SOME_RANDOM_VALUE", it is recommended that you use a GUID type
generated value for the label, to ensure it does not collide with anyone
else doing the same thing. (There are others doing this already.)

Hope this helps explain the situation.

(It's not your fault, and it isn't the registry's fault, it is whoever has
for whatever reason delegated some other domain to your name server that
has caused the problem.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210301/ee6b8544/attachment.html>

More information about the dns-operations mailing list