Wrong glue records entered.

Steven Job list3 at wwwcrazy.com
Tue Jan 18 02:15:33 UTC 2005

Quoting Barry Margolin <barmar at alum.mit.edu>:

> Glue records are the A records that are related to NS records.  So your
> question doesn't really make sense.  I think what you're asking is "Is
> the A record for the target of an MX supposed to be returned with an MX
> query?"  The answer to that is "yes" -- if the relevant A records are in
> the server's memory (either authoritative data or cache) they should be
> included in the Additional Records section of the response.  RFC 1035
> section 3.3.9 says: "MX records cause type A additional section
> processing for the host specified by EXCHANGE."

This is exactly what I thought. I know I didn't explain it correctly at all.

> They're probably not asking your servers, they're just using the
> additional records that your servers are sending along with the MX
> response.

That makes sense but they should then go out and validate the data (go out and
verify that the glue record is correct).
Let's say for instance I had the domain "example.com"
Then if I had the record:
www.example.com.  900000    IN      CNAME   www.yahoo.com.

Then if I also had the domain "yahoo.com" configured and point "www.yahoo.com"
to any IP that I owned.

Are we saying that my version of "www.yahoo.com" would then be cached in the
resolving name server?  Wouldn't that just poison the Internet?
Anyone could do the same thing with banks and ecommerce sites.

I would think that the resolving name server would have enough knowledge to go
out and resolve "www.yahoo.com" from the start and not trust a glue record.
And this appears to be the case for the versions of bind that I tested and also
But there are some resolving name servers that are incorrect in that they do use
the glue record all of the time.


More information about the bind-users mailing list