How to test DNS glue record?

Solution 1:

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "ANSWER SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

Solution 2:

To check if a GLUE record is setup:

dig +trace @a.root-servers.net ns0.nameserverhere.com

If the GLUE is setup you should see a record that ends with:

“Recevied XXX bytes from x.GTLD-SERVERS.NET.”

There is also sites which will do it for you such as http://www.intodns.com/

---

Solution 3:

Here is a little shell script which implements Alnitak's answer:

#!/bin/sh
S=${IFS}
IFS=.
for P in $1; do
  TLD=${P}
done
IFS=${S}

echo "TLD: ${TLD}"
DNSLIST=$(dig +short ${TLD}. NS)
for DNS in ${DNSLIST}; do
  echo "Checking ${DNS}"
  dig +norec +nocomments +noquestion +nostats +nocmd @${DNS} $1 NS
done

Pass the name of the domain as parameter:

./checkgluerecords.sh example.org

---

Solution 4:

dig +trace is generally the most straightforward way to inspect the chain of delegations. However, glue records are in the additional section and by default trace output does not include the additional section. You will need to specify explicitly that you want this included in the output.

dig +trace +additional example.com

If the idea is to check the sanity of the delegation chain you will probably want to see the authoritative NS records as well, in this case:

dig +trace +additional example.com NS