DNS

What is Glue Record?

Definition

A type of DNS record (A or AAAA) placed in a parent zone to give resolvers the IP address of a nameserver whose name is inside the child zone, breaking the circular dependency that would otherwise prevent resolution.

A glue record is a DNS resource record (A or AAAA) that a parent zone publishes alongside a delegation NS record when the authoritative nameserver for the child zone has a name that lies within that child zone itself. For example, if the zone "example.com" delegates authority for "sub.example.com" to a nameserver named "ns1.sub.example.com", a resolver must know the IP address of ns1.sub.example.com to query it for data about sub.example.com. But the only place that can answer queries about ns1.sub.example.com is the sub.example.com zone itself, creating a chicken-and-egg problem. The glue record breaks this cycle by providing the A or AAAA record for ns1.sub.example.com in the parent zone (example.com), so resolvers can complete the iterative lookup without entering the child zone first.

Glue records are defined in RFC 1034 and RFC 1035. They exist only in the parent zone's apex data, stored as additional information alongside the NS delegation set. When a resolver receives a referral response for a delegation, the parent nameserver includes the glue records in the Additional section of the DNS response. This allows the resolver to immediately have the IP address needed to query the delegated nameserver without performing an intermediate lookup. A glue record must match the nameserver name exactly and must be a non-CNAME record. Registrar and registry systems enforce the existence of glue records during domain delegation; if a nameserver's hostname is not an IP address literal and ends in the domain being registered, the registrant must provide corresponding glue records.

Glue records can become stale if the child zone's IP address changes but the parent zone's glue record is not updated. DNSSEC does not sign glue records in the parent zone because they are external to the child zone's trust anchor; the parent zone's delegation signer (DS) record chain does not cover them. In stealth or multi-homed configurations, operators may include "sibling glue" -- extra records for nameservers not in the child zone -- to improve resilience. Despite their name, glue records are not a separate record type; they are ordinary A or AAAA records placed in an unusual location.

Key facts

  • Defined in RFC 1034 section 4.2.1 and RFC 1035 section 6.3.
  • Only needed when a nameserver hostname lies inside the zone it serves.
  • Stored in the parent zone, never in the child zone's authoritative data.
  • Appear in the Additional section of DNS referral responses.
  • Must be an A or AAAA record; CNAME glue is not permitted by the DNS protocol.

How it works in practice

A domain operator registers "mydomain.com" and sets primary nameserver to "ns1.mydomain.com". At the registrar (the parent zone .com), they must provide the IP address 192.0.2.10 as a glue record. Without it, a resolver querying the .com servers would get back only the nameserver name "ns1.mydomain.com" without an IP address, and would have no way to contact that nameserver because the resolver would attempt to look up ns1.mydomain.com by querying the very server it has not yet reached.

Related terms

A record AAAA record NS record DNS delegation Authoritative nameserver Resolver

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNS Hijacking

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DNSSEC

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

Who Is Online

In total there are 82 users online: 0 registered, 76 guests and 6 bots.

Bots: Facebook Googlebot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340