Help with DNS Glue records and where SOA record resides

Barry Margolin barmar at
Wed Oct 3 22:26:55 UTC 2001

In article <9pg1d8$a68 at>,
Steddy Man <stephen.eddy at> wrote:
>On 3 Oct 2001 13:21:28 -0700, Barry Margolin <barmar at>
>>In article <9pfou1$8sf at>,
>>Steddy Man <stephen.eddy at> wrote:
>>>I have created A and NS records on my own DNS server present on
>>> and, but because I am not
>>>authorative for the domain, this may be why I have problems.  My ISP
>>>says he is unable to create A records for my name servers in the
>>> domain (don't ask), and that they are not required
>>>anyway since the glue records take care of it (remember I am
>>>attempting to host other domain using these name servers too).
>>They're wrong.
>>Sometime in the past week I posted a message with lots of details
>>explaining why you need to duplicate the glue records on the authoritative
>>servers, so I'm not going to repeat it.  Do a Google search for my previous
>>message.  But here's a brief summary: if a server has timed out the cached
>>glue records, but still has the NS records in its cache, it won't go to the
>>root servers so it won't look up the glue records, because you only go to
>>root servers when you don't have any more specific NS records in your
>I did see the other post about needing A records in addition to the
>glue records, but since I am using the name servers to host other
>domains I am not 100% sure this is totally relevant. 
>Which NS records are you referring too?  The ones in
>at (pointing to

I'm referring to these NS records, which are in both the COM zone and the zone:	2D IN NS	NS2.LIVEDNS.CO.UK.	2D IN NS	NS1.LIVEDNS.CO.UK.

>Take the example of  This domains name server
>records are actually set to and
>  Accessing this domain is intermittent.  This
>domain incidentally was previously hosted by
>When somebody looks up this domain, wouldn't the process be:-
>1. Don't know domain, so lookup at root.
>2. Find glue records and lookup entry at
>3. This is authorative and has entries for and
>4. Cache times out, but still should look to and
> since these are authorative for the domain?
>If the same DNS servers contacted by the resolver had previously also
>looked up the domain then it would use these NS
>records to locate ns1 and ns2 by checking and
> (which is wrong in my circumstances).  Is this what
>you are saying?

I think so.

When things are working, the cache might contain:      IN NS IN A     IN NS   IN A

Now suppose the A record for times out, but the other
two records remain.  If you want to look up, the process
would be:

1. I know the domain, its nameserver is
2. I don't know the address of, so I need to look that
   a. I know the domain, its nameserver is, whose address is
   b. Look up at  It says the
      address doesn't exist.

At this point the whole process comes to a stop (I didn't show, but assume that the same thing happens to it).  BIND
will log a message indicating that there are no usable NS records for the domain.

Eventually the NS record pointing to will
time out, and then you'll go back to the root servers, pick up glue
records, and things will work again for a while.

Barry Margolin, barmar at
Genuity, Woburn, MA
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list