Introduction

Glue record misconfiguration can break an entire domain before resolvers even reach the authoritative zone. This happens most often when a domain uses custom nameservers under its own hostname, and the registrar still points those hosts to outdated IP addresses. The fix is to treat glue as registrar-level infrastructure, not as an ordinary zone record you can update in only one place.

Symptoms

  • The domain fails to resolve after changing nameserver IPs or moving DNS servers
  • Some resolvers hit old nameserver addresses while others eventually recover
  • DNS checks flag broken or inconsistent glue for in-bailiwick nameservers
  • The zone itself looks correct, but resolvers cannot reliably reach the authoritative servers
  • The issue began after server migration, failover, or registrar-side changes

Common Causes

  • Registrar host records still point to old nameserver IP addresses
  • Only the zone's A records were updated, leaving registrar glue unchanged
  • Multiple custom nameservers were updated inconsistently during migration
  • Old server IPs still answer partially, making the failure intermittent and harder to spot
  • Delegation and authoritative DNS changes were made in the wrong order during cutover

Step-by-Step Fix

  1. Confirm whether the domain uses in-bailiwick nameservers such as ns1.yourdomain.com that require glue records.
  2. Check the registrar host-record configuration and compare each glue IP with the actual live nameserver addresses.
  3. Verify the nameserver hosts themselves resolve consistently and answer authoritatively for the zone.
  4. Update registrar glue records where needed, not just DNS zone A records inside the domain.
  5. Remove obsolete nameserver IPs from the migration path so resolvers do not continue reaching dead infrastructure.
  6. Query the parent delegation and authoritative servers separately to confirm the correction is visible at both levels.
  7. Test resolution for the domain and subdomains from external resolvers after the glue change propagates.
  8. Validate related services such as website traffic, mail routing, and verification records once delegation is healthy.
  9. Keep nameserver migration runbooks explicit about glue dependencies so future cutovers do not leave parent and child data out of sync.