Are any glue records actually needed with external DNS?


#1

Hi,

We’re still experimenting with MIAB and trying to make sure it will do what we want it to do. I have a separate thread on general mail settings.

We’re looking at the role of glue records and trying to get our head around what is actually needed.

We currently have a number of domains with easydns DOT com. Some of these domains are production domains that support quite busy webservers and a large number of services running different services. These are things we do NOT want to change around.

We have never used Glue records as all our DNS management is done by easydns DOT com and we’re very happy with what we pay them to do. We’ve been reading a lot about glue records and apart from the rather silly name (I’m sure there’s a good reason for it), it appears that a Glue Record simply delegates responsibility for a domain down to a sub-server. Fine, makes sense.

However, we do NOT want to move all of our DNS management out of easydns DOT com, we’d prefer to keep it running as we have redundancy and latency protection, also we’ve just renewed a load of domains :slight_smile:

After reading and re-reading the MIAB setup guide, we think there is zero need to actually use Glue Records at all if (and only if) your external DNS is setup correctly. This means we need to set up the right MX records, the right A* records for the mail server, the right DNSSEC records as indicated in the External DNS page of the MIAB console admin. This means that we can ignore most of the errors on the system setup page that are connected to DNS management.

Have we read this correctly? If so then we need to take responsibility for the DNS configuration which is fine. We’re all grown ups here (well not sure I am).

Thanks for reading,

Rob


#3

GLUE records are not needed if you use external DNS. You will just have to ignore the warnings in the system page.

There is an External DNS page that describes special DNS entries you will need as well.


#4

If you’ve never used Glue records for your domain, i.e. you do all your DNS updating through easydns then you don’t need to worry about Glue records.

To understand what Glue records are you need to picture how DNS works.

In order to find DNS records for your domain the querying recursive DNS server must first find the nameserver for my domain.

However ns records only show the names of the name servers

In order to actually do a lookup using those name servers you need to be able to find their IP address.

In the above situation Glue records are needed in order to get round this problem. Essentially you provide the Nameserver names and IP addresses to the registrar and they upload the information to the DNS records for the TLD (in the above case .co.uk) I can simulate the lookup for this record with a DIG command

C:\Users\timdu>dig @156.154.100.3 timothydutton.co.uk

; <<>> DiG 9.10.6-P1 <<>> @156.154.100.3 timothydutton.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20775
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;timothydutton.co.uk.           IN      A

;; AUTHORITY SECTION:
timothydutton.co.uk.    172800  IN      NS      ns2.box.timothydutton.co.uk.
timothydutton.co.uk.    172800  IN      NS      ns1.box.timothydutton.co.uk.

;; ADDITIONAL SECTION:
ns1.box.timothydutton.co.uk. 172800 IN  A       77.68.89.100
ns2.box.timothydutton.co.uk. 172800 IN  A       77.68.89.100

At this point in the DNS lookup the recursive server now know both the nameserver name and IP address and can move on to querying my nameserver directly.

If you are using a third party DNS server they will have their own Glue records for their nameservers, you don’t normally have to worry about that although you may get complaints from some DNS checking services that no Glue records exist for your domain.

As you correctly inferred all other records such as the address of the box need adding using EasyDNS’s control panel. When adding SPF, DMARC and DKIM records that you should specify them as type TXT.

Edit - I appreciate this is probably more information than you need, however I hope it will help you get your head around what Glue records are in practice. I’ve no technical qualifications myself, but I have learnt that there’s far more to DNS lookups than people think.


#5

Thank you very much for the informative reply. We were coming to that conclusion, though somewhat slower than you :slight_smile:

We’ve been experimenting with the DNS, SPF and DKIM and the External DNS page on the MIAB admin system. So far we have now got DKIM, SPF all working and tested. We’ve also updated SPF to allow out other Linux mail servers to send e-mail.

It’s clear that for our needs, we should use the External DNS systems and we will continue to do so. It’s been quite good fun as we now know how SPF really works.

Our next test is sending email to Google. Our experience is that they immediately blacklist you when there’s a hint of a problem. So far we have avoided using them as a test as we got blacklisted when we tried earlier in the week using a different mail system. It only took four e-mails to be put on the naughty step.

Rob


#6

I think we can close this topic as the help has been excellent and well informed.

Many thanks to everybody who contributed.


#7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.