Domain name system (DNS) resolution is an iterative process where a recursive resolver attempts to look up a domain name using a hierarchical resolution chain. First, the recursive resolver queries the root (.), which provides the nameservers for the top-level domain(TLD), e.g.com. Next, it queries the TLD nameservers, which provide the domain’s authoritative nameservers. Finally, the recursive resolver  queries those authoritative nameservers.  
 
In many cases, we see domains delegated to nameservers inside their own domain, for instance, “example.com.” is delegated to “ns01.example.com.” In these cases, we need glue records at the parent nameservers, usually the domain registrar, to continue the resolution chain.  

What is a glue record? 

Glue records are DNS records created at the domain’s registrar. These records provide a complete answer when the nameserver returns a reference for an authoritative nameserver for a domain. For example, the domain name “example.com” has nameservers “ns01.example.com” and “ns02.example.com”. To resolve the domain name, the DNS would query in order: root, TLD nameservers and authoritative nameservers.  

When nameservers for a domain are within the domain itself, a circular reference is created. Having glue records in the parent zone avoids the circular reference and allows DNS resolution to occur.  

Glue records can be created at the TLD via the domain registrar or at the parent zone’s nameservers if a subdomain is being delegated away.  

When are glue records required? 

Glue records are needed for any nameserver that is authoritative for itself. If a 3rd party, such as a managed DNS provider hosts the DNS for a zone, no glue records are needed. 

IBM NS1 Connect Dedicated DNS nameservers require glue records 

IBM NS1 Connect requires that customers use a separate domain for their Dedicated DNS nameservers. As such, the nameservers within this domain will require glue records. Here, we see glue records for exampledns.net being configured in Google Domains with random IP addresses: 

Once the glue records have been added at the registrar, the Dedicated DNS domain should be delegated to the IBM NS1 Connect Managed nameservers and the Dedicated DNS nameservers. For most customers, there will be a total of 8 NS records in the domain’s delegation. 

What do glue records look like in the dig tool? 

Glue records appear in the ADDITIONAL SECTION of the response. To see a domain’s glue records using the dig tool, directly query a TLD nameserver for the domain’s NS record. The glue records in this example are in quotation marks. Quotation marks are used for emphasis below: 

How do I know my glue records are correct? 

To verify that glue records are correctly listed at the TLD nameservers, directly query the TLD nameservers for the domain’s NS records using the dig tool as shown above. Compare the ADDITIONAL SECTION contents of the response to the expected values entered as NS records in IBM NS1 Connect.