Fix DNS Glue Record Missing - Nameserver Resolution Failure

Introduction

Glue records exist to break a circular dependency in DNS. When a domain's nameservers are within the same domain (ns1.example.com for example.com), the DNS system cannot resolve the nameserver hostname without already knowing the nameserver IP. Glue records, stored at the parent zone (the TLD registry), provide these IP addresses directly. When glue records are missing or wrong, the domain becomes completely unreachable - a critical failure that cannot be fixed from within the domain's own zone.

Symptoms

The domain is completely unreachable, but only when queried from outside the authoritative nameservers:

``` # Domain works when querying nameserver directly dig @192.168.1.10 example.com NS +short ns1.example.com. ns2.example.com.

# But fails from recursive resolvers dig example.com NS ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345

# Query for glue at parent zone returns nothing dig example.com NS @a.gtld-servers.net +additional # No additional section with IP addresses

# whois shows nameservers but no glue whois example.com | grep "Name Server" Name Server: NS1.EXAMPLE.COM Name Server: NS2.EXAMPLE.COM # But querying TLD shows no IP addresses ```

DNS tracing reveals the problem:

``` dig +trace example.com NS

; <<>> DiG 9.16.1 <<>> +trace example.com NS ;; global options: +cmd . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. ;; Received 525 bytes from 192.168.1.1#53

com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ;; Received 773 bytes from 198.41.0.4#53

;; NOTICE: The glue address for ns1.example.com is missing ;; Querying ns1.example.com directly, but we cannot find its IP ;; Resolution fails here ```

Online DNS checkers report:

bash

Error: No glue records found for nameserver ns1.example.com
Error: Nameserver is within the domain but has no glue record
Warning: Domain may be unreachable from some resolvers

Common Causes

1.Glue never created - Nameservers registered at registrar but IP addresses not added
2.Nameserver IP changed - Glue record still has old IP
3.Registrar interface error - Glue records not saved or processed correctly
4.TLD restrictions - Some TLDs have specific requirements for glue records
5.Child nameservers removed from parent - Registry cleanup or error
6.Transfer-related loss - Glue lost during domain transfer between registrars

Step-by-Step Fix

Step 1: Verify Glue Record Problem

Check the parent zone for glue records:

```bash # For .com domains, query the gTLD servers dig example.com NS @a.gtld-servers.net +additional

# For .net domains dig example.net NS @a.gtld-servers.net +additional

# For .org domains dig example.org NS @a0.org.afilias-nst.info +additional

# For country TLDs, check the ccTLD servers dig example.co.uk NS @ns1.nic.uk +additional

# Look for the ADDITIONAL section with IP addresses # If missing or shows wrong IPs, glue records are the problem ```

Check for the circular dependency condition:

```bash # List the domain's nameservers dig example.com NS +short ns1.example.com. ns2.example.com.

# Are the nameservers within the domain? # ns1.example.com and ns2.example.com are in example.com # This means glue records are REQUIRED

# Check if nameservers are reachable by IP dig @192.168.1.10 example.com SOA # If this works but recursive queries fail, glue is missing ```

Use a DNS traversal tool:

```bash # dnstracer shows the delegation path dnstracer example.com

# Or use dnswalk dnswalk example.com.

# Or online tools like: # https://dnscheck.pingdom.com # https://intodns.com/example.com ```

Step 2: Verify Nameserver IPs Are Correct

Before setting glue, verify the actual IP addresses of your nameservers:

```bash # From the server itself ip addr show # Or ifconfig

# Check which IPs are listening on port 53 ss -tlnp | grep :53 netstat -tlnp | grep :53

# Test from inside the network dig @127.0.0.1 example.com SOA dig @192.168.1.10 example.com SOA ```

Ensure both IPv4 and IPv6 (if applicable):

```bash # Check IPv4 dig @192.168.1.10 example.com SOA

# Check IPv6 dig @2001:db8::1 example.com SOA

# Both should work if you plan to advertise both ```

Step 3: Create or Update Glue Records at Registrar

Glue records are set at the registrar, not in your DNS zone. The process varies by registrar:

For GoDaddy:

bash

1. Log into GoDaddy Domain Manager
2. Scroll to "Additional Settings" > "Host Names"
3. Click "Add" to create host names
4. Enter nameserver name (ns1.example.com) and IP address
5. Save changes
6. Wait 24-48 hours for propagation

For Namecheap:

bash

1. Log into Namecheap
2. Go to Domain List > Manage
3. Find "Nameservers" > "Custom DNS"
4. Click "Specify Custom Nameservers"
5. Add nameserver hostname and IP in the glue records section
6. Save changes

For Cloudflare Registrar:

bash

1. Log into Cloudflare
2. Select the domain
3. Go to Overview > Domain Registration
4. Find "Nameserver IPs" section
5. Enter IP addresses for each nameserver

Using registrar API (if available):

bash

# GoDaddy API example
curl -X PATCH "https://api.godaddy.com/v1/domains/example.com/hosts" \
  -H "Authorization: sso-key {key}:{secret}" \
  -H "Content-Type: application/json" \
  -d '[
    {
      "name": "ns1",
      "ips": ["192.168.1.10"]
    },
    {
      "name": "ns2",
      "ips": ["192.168.1.11"]
    }
  ]'

Step 4: Verify Glue Records at Registry

After setting glue at your registrar, verify it has propagated to the registry:

```bash # Query the TLD servers directly dig ns1.example.com @a.gtld-servers.net dig ns1.example.com @b.gtld-servers.net

# Check the additional section has IP addresses dig example.com NS @a.gtld-servers.net +additional

# Look for output like: ;; ADDITIONAL SECTION: ns1.example.com. 172800 IN A 192.168.1.10 ns2.example.com. 172800 IN A 192.168.1.11 ```

Step 5: Verify Internal Zone A Records

Ensure the nameserver hostnames have A records in your own zone:

```bash # Check your zone file has A records for the nameservers dig @192.168.1.10 ns1.example.com A +short dig @192.168.1.10 ns2.example.com A +short

# These should match the glue records at the registry ```

For BIND zone file:

bash

# /etc/bind/db.example.com should include:
ns1.example.com.     IN  A   192.168.1.10
ns2.example.com.     IN  A   192.168.1.11

Step 6: Handle Out-of-Bailiwick Nameservers

If your nameservers are in a different domain, you do not need glue records:

```bash # If using external nameservers: dig example.com NS +short ns1.provider.net. ns2.provider.net.

# These are "out of bailiwick" - no glue needed # Resolution works because provider.net can be resolved independently ```

To switch from in-bailiwick to out-of-bailiwick:

bash

1. Set up nameservers at external provider (e.g., ns1.provider.net)
2. Update domain's nameserver registration to use external nameservers
3. Remove glue records at registrar (or they will be ignored)

Step 7: Wait for Propagation and Verify

Glue record changes can take 24-48 hours to fully propagate:

```bash # Check from multiple locations # Using Google DNS dig @8.8.8.8 example.com NS +additional

# Using Cloudflare DNS dig @1.1.1.1 example.com NS +additional

# Using Quad9 dig @9.9.9.9 example.com NS +additional

# From a different network/ISP # (VPN or remote server) ```

Full resolution test:

```bash dig +trace example.com NS

# Should show: # 1. Root servers refer to TLD servers # 2. TLD servers return NS records WITH glue IPs # 3. Your nameservers respond with the zone data ```

Common Pitfalls

Confusing glue with zone A records - Glue is at the registry, A records are in your zone
Updating IP in zone but not glue - Creates mismatch, old glue causes wrong IPs
Adding glue for out-of-bailiwick nameservers - Not needed, will be ignored
Forgetting IPv6 glue - If advertising IPv6 nameservers, need AAAA glue too
Registrar support not understanding glue - May need escalation to registry-level support
Testing too soon after change - Glue propagation is slower than regular DNS

Best Practices

Keep a record of all glue IPs outside the DNS system for disaster recovery
Use out-of-bailiwick nameservers to avoid glue dependency when possible
Set up monitoring that checks the glue records at the parent zone, not just your zone
Document the registrar and specific steps for updating glue in your runbooks
Test glue records after any IP address changes on nameservers
Consider using registrar APIs for glue record updates to enable automation

DNS Nameserver Not Responding
DNS SERVFAIL Errors
DNS Zone Transfer Failed
Domain Transfer Issues
DNS Resolution Failure

DNS Glue Record Missing - Nameserver Resolution Failure

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Verify Glue Record Problem

Step 2: Verify Nameserver IPs Are Correct

Step 3: Create or Update Glue Records at Registrar

Step 4: Verify Glue Records at Registry

Step 5: Verify Internal Zone A Records

Step 6: Handle Out-of-Bailiwick Nameservers

Step 7: Wait for Propagation and Verify

Common Pitfalls

Best Practices

Related Issues

Share this guide

More DNS Troubleshooting Guides

Fix DNS RPZ Reaction NSDNAME Not Blocking Queries

Fix DNS DDNS GSS-TSIG Kerberos Authentication

Fix DNS SVCB HTTPS Record Service Binding

Fix DNS ZONEMD Record Integrity Validation Failing

Fix DNS CDS CDNSKEY Automatic DS Update Not Working

Fix DNS NAPTR Record ENUM Translation Failure