One nameserver not sending out glue

[Nickske00]

Hi guys,

Couple of months ago I moved my main server to a new dedicated server running Debian 11.
I always have had my own nameservers (three servers, different places) but since the move intodns reports an informational message I never had before.

intoDNS: buggedbrain.com - check DNS server and mail server health

intoDNS: Checking health and configurtion of DNS server and mail server for domainbuggedbrain.com.

intodns.com

INFO: GLUE was not sent when I asked your nameservers for your NS records.This is ok but you should know that in this case an extra A record lookup is required in order to get the IPs of your NS records. The nameservers without glue are:
78.46.78.132
You can fix this for example by adding A records to your nameservers for the zones listed above.

I understand this is an informational message, and an extra A lookup isn't that expensive these days, but we all want to deliver a perfect service. So I've been investigating this whole weekend and didn't find a solution...

I suppose into dns does a dig query to the nameservers to find out everything it displays? I discovered the Debian 11 servers has less info in the additional section of the response.

ns1.buggedbrain.com

Spoiler

dig @ns1.buggedbrain.com buggedbrain.com NS

; <<>> DiG 9.16.23 <<>> @ns1.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24225
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 19ab739b81ee49100100000061adf556aa36b94e16811bfd (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS

;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.

;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48

;; Query time: 34 msec
;; SERVER: 2a01:4f8:120:3493::2#53(2a01:4f8:120:3493::2)
;; WHEN: Mon Dec 06 12:34:45 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 231

ns2.buggedbrain.com

Spoiler

dig @ns2.buggedbrain.com buggedbrain.com NS

; <<>> DiG 9.16.23 <<>> @ns2.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4790
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6efe0418c11a99b548bfd80261adf5d77ab5cea62193d12a (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS

;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.

;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143

;; Query time: 35 msec
;; SERVER: 2a02:c207:2025:7385::1#53(2a02:c207:2025:7385::1)
;; WHEN: Mon Dec 06 12:36:54 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275

ns3.buggednetworks.eu

Spoiler

dig @ns3.buggednetworks.eu buggedbrain.com NS

; <<>> DiG 9.16.23 <<>> @ns3.buggednetworks.eu buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37671
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c3a31828a013f83cc30942d761adf5fb75fc789506838b7b (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS

;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.

;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143

;; Query time: 120 msec
;; SERVER: 2605:a140:2037:7597::1#53(2605:a140:2037:7597::1)
;; WHEN: Mon Dec 06 12:37:31 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275

As you can see the additional section of ns2 and ns3 contain all ip addresses for all nameservers, but ns1 only contains those for ns1 and ns2. I think this is what intodns is pointing out?

Bind/Named versions:
ns1: 9.16.22
ns2: 9.11.4
ns3: 9.11.5

These are all standard DA setups, sharing zones through multi server. Named configuration hasn't been changed. So I can only suspect they changed something in bind between 9.11 and 9.16... But I can't seem to pin it down, been searching through the changelog but found nothing. Been searching on google, but it is hard to find (recent) discussions about this.

I tried setting 'minimal-responses no;' in the named config, but this didn't help. Only thing that helped was setting 'allow-recursion { any; };' but as everyone says this is a security risk, this isn't a solution.

So does anyone here have an idea as to what has changed in bind to be less informative?

Like I said at the beginning of this post, an extra A lookup isn't the end of the world, but I like to know what has changed, so if someone can point me in the right direction I would be happy.

 

[Active8]

78.46.78.132 is ip address of ns1.buggedbrain.com
Be sure that this IP is in your DNS records as an A record

Example: ns1.buggedbrain.com. A 78.46.78.132

However I have checked your NS setting with DNS Inspect (Better tool than IntoDNS) and didn't see really problems with your glue

Report for buggedbrain.com

www.dnsinspect.com

 

[Nickske00]

As I said, everything works. But as you can see from my own queries, there is a change between bind versions... I'm asking if anyone has an idea where to look for this change.

 

[Richard G]

DA nameservers do not send GLUE records. GLUE records are only send by your registrar. If you want GLUE records, ask your registrar to set GLUE records to your nameservers.
A Glue Record is the IP Address of a name server at a domain name registry.

You can also see this at the result page of the link Active8 pointed to, saying the parent nameservers are offering the GLUE.
Also check the A records he mentioned

Some registrars might not provide GLUE records, but that is not a big thing, as it states, it only requires 1 extra lookup, which is not a big deal.

 

[Nickske00]

They do send out GLUE as you can see in the ADDITIONAL section of the answers.

 

[Active8]

But as you can see from my own queries, there is a change between bind versions.

Yes That is really odd, according Debian website is 9.16.x branch the latest version.
I'm not familiar with Debian OS , maybe has to with the way the bind is updated (by OS or DA) I'm not certain

 

[Richard G]

No they don't. Unless you are the registrar yourself.

Glue Records and Dedicated DNS

In normal DNS resolution, when a resolver attempts to resolve a domain name, it queries the authoritative nameservers for the domain. If the nameservers for a domain exist inside the domain itself, a glue record is needed to resolve the domain name.

ns1.com

Which additional answers you mean? Can you give an example? I don't see it.
Edit: But if you set your nameservers with your registrar correctly it should be glue records, however I encountered some registrars in the past where one has to give them the order to set the glue records.
Anyway, you do not set them in DA yourself.

Anyway it's odd, because compare a check between buggedbrain.com and buggednetworks.eu then in both cases it says in the "missing Glue" section:

OK. Parent name servers are offering glue for domain's name servers

But with buggednetworks.eu in the first section you can see this:

ns1.buggedbrain.com. TTL=86400            [NO GLUE4]            [NO GLUE6]
ns2.buggedbrain.com. TTL=86400            [NO GLUE4]            [NO GLUE6]

So in this part no glue is seen for ipv4 and ipv6.

There is a difference between both domains in this result, this is also odd, right?
I don't know if that has anything to do with the bind change.

 

[Richard G]

Maybe this is a cause:

https://viewdns.info/dnsreport/?domain=buggedbrain.com

That one also says:
Oops! The parent servers don't have A records for each of your nameservers!
And here also ns3 (like with intodns) does not have a Glue. Parent servers are at your registrar, I think you might need to contact them to doublecheck things.
However, feel free to try other solutions.

 

[Nickske00]

Which additional answers you mean? Can you give an example? I don't see it.

NS1:

;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48

NS2 & NS3:

;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143

The glue is set correctly at the registar. The reason you are getting the no glue message at the root servers is because it are different tld's.
.com only has glue for ns1 & ns2 and .eu only has glue for ns3.

Also see https://serverfault.com/questions/142344/how-to-test-dns-glue-record

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

So, the additional section you get back from your own nameserver contains the glue in the additional section of the response.

But for some reason bind stopped adding glue for out-of-zone nameservers in a recent version...

 

[Richard G]

Also see https://serverfault.com/questions/142344/how-to-test-dns-glue-record

Ah.... I see where the misunderstanding is. It's mostly on my side. I thought sending to the nameservers, like setting up c.q. adding glue records.... stupid me.
But you were talking about sending out as response to a request. So I think we're clear on that now, sorry for the confusion.

l'll send you a pm if you're oke, because I've seen something else, but don't know if that will be of help and I don't want to disturb other responses.

 

[sparek]

Can you have glue across different TLDs?

buggedbrain.com is missing glue for the ns3.buggednetworks.eu nameserver.

i.gtld-servers.net doesn't have authority to return IP addresses for .eu domain names.