DNS question, what if glue doesn't match ns record?

[Soybomb]

I'm trying to help someone solve their dns issues and I'm wondering what effect this might have on things.

The user already had glue records like
dns1.domain.com = 192.168.0.10
dns2.domain.com = 192.168.0.11

They wanted to start to transition their services to a nother backbone provider so they also made glue records of
dns3.domain.com = 10.0.0.30
dns4.domain.com = 10.0.0.31

They copied their domain.com zone file over to the new server and the relevant portions of it had things like
domain.com. NS dns1.domain.com.
domain.com. NS dns2.domain.com.
dns1 A 10.0.0.30
dns2 A 10.0.0.31
dns3 A 10.0.0.32
dns4 A 10.0.0.33

Then they changed the nameservers at the registrar from dns1 & dns2.domain.com to dns3 & dns4.domain.com They waited for changes to propagate but kept having issue. i was digging around at various places and it looks like some servers are still going to 192.116.0.10 and .11 to resolve the domain instead of going to the new servers, some are going to the new servers of 10.0.0.30 and 31 to resolve names like they wanted. Its been like a week and a half so all changes should be propagated by now.

Clearly it needs a major cleaning up. I'd like to understand more of why this seems to break things. To my understanding what they put in as an A record for the dns servers really is irrelevant since those are entered on the higher level servers as glue records and should be answered there first.

So what actually is happening and what "needs" to match versus what should match to be RFChappy? Do the NS records of the domain have to match the name servers given to the registrar? Do the A records of the dns servers given to the registrar to be used as glue have to match the locally created A records for those servers?

 

[spidey07]

You need to remove the glue records for dns1 and dns2.

You've got recirculation going on. Need to dig deeper into why they are actually using glue records and if they are needed. Judging from the addresses used they don't have a clue about DNS.

 

[Soybomb]

Do you mean remove dns1 & 2 as glue records at their registrar or as NS records in their zone files? They're wanting to leave 1&2 registered as nameserver as they transition other domains to their new provider even though their own domain is now set to use dns3&4. As far I know the glue records would have been necessary as the dns servers given to their registrar as responsible for domain.com were dnsx.domain.com

Its a mess for sure

 

[spidey07]

Originally posted by: Soybomb
Do you mean remove dns1 & 2 as glue records at their registrar or as NS records in their zone files? They're wanting to leave 1&2 registered as nameserver as they transition other domains to their new provider even though their own domain is now set to use dns3&4. As far I know the glue records would have been necessary as the dns servers given to their registrar as responsible for domain.com were dnsx.domain.com

Its a mess for sure

I can help. I charge for my time when it comes to idiotcy like this. Sorry. Not trying to be mean. Just a money hungry consultant.

Now gimme a whiteboard!

 

[Soybomb]

cool, I'll wait for someone with a bit more time. Its a buddy and their business is bankrupt and going down the tubes. I'm just trying to help him keep his thing going as long as he can with whatever advice I can offer and figured I'd learn a little something about real dns messes in the process. I don't think I fully understand how the NS records work with A records in a zone and glue data passed on to higher name servers.

 

[spidey07]

read up on what a glue record really means/does. It "sticks" a name server to an IP address.

 

[Soybomb]

I have been thinking of glue records as an a record for the nameserver higher up than the name server itself, a dns server higher up has to have a glue entry to provide the dns server address for that domain to resolve the dns if the dns server for that domain is from that same domain.
ex: if I say dns1.domain.com is authoritative for the domain.com in its zone file and list it with the domains registrar as a dns server for that domain, I need to feed my registrar glue information to create an A record for dns1.domain.com otherwise i'll have a circular lookup problem.

So what I'm believing to be happening right now is that a user tries to lookup www.domain.com, the name servers listed at the registrar for that domain are dns3 & dns4.domain.com. The query goes from the root servers, to the tld servers, and the TLD server respond back with the name servers provided to the registrar, dns3.domain.com and dns4.domain.com. We're trying to look up a name from domain.com already so we obviously can't resolve dns3.domain.com. The glue record is there to break the circular problem and tells us that dns3.domain.com is 10.0.0.32. Now the query goes to 10.0.0.32 for www.domain.com. The dns server is running a messed up zone file though where dns3.domain.com isn't listed as an NS record, only dns1.domain.com and dns2.domain.com. Now this conflicts with the glue information earlier as to what dns server would be authoritative for the domain. It seems as though some queries stop there and take the A record for www.domain.com from that edited messed up zone file, others seem to take it a step further and have trouble with the dns servers listed at the registrar as responsible for the domain not being the ones listed as NS records in the domain's zone file. They go out and dig up the glue record for dns1&2 that are listed in the zone file and then start running their queries off the old server.

Sound like I have a decent idea of whats going on or am I just as lost as they are? I'm just going to clean this mess up and make it all right but I guess I'm trying to figure out if their problem stems from the ns records in the zone file not matching the authoritative dns servers given to their registrar, or because the A records of the dns server in their zone file not matching the glue data given for those dns servers to their registrar, or both.

 

[Soybomb]

Just as an update, looks like I got about everything cleaned up and things are resolving properly for them again. I'd still like to understand the mechanics of it though.

Was the problem more from them having NS records in the domain.com zone showing different authoritative name servers than those provided to the registrar, or from the glue data of dns3.domain.com's IP address given to the registrar being different from the A record of dns3.domain.com in the domain.com zone?