Common Glue Record Problems: DNS Delegation Issues Explained
A complete troubleshooting guide to glue record issues, including in-bailiwick nameservers, missing glue, delegation mismatches, and how to fix DNS resolution failures.
Missing addressing for in-bailiwick nameservers
A common glue-related issue occurs when a domain uses in-bailiwick nameservers, such as ns1.example.com for example.com, but does not provide the required glue records at the parent zone.
Glue records are essential in this scenario because without them, a resolver would need to query the very nameserver it is trying to locate, creating a circular dependency.
If glue records are missing or incorrect, DNS resolution can fail completely or behave inconsistently depending on caching and resolver behaviour.
This behaviour is defined in the core DNS specifications.
Delegation changed but expectations did not
Glue record issues frequently arise during DNS migrations or infrastructure changes. For example, if nameservers are moved to new IP addresses but the parent-zone glue is not updated, resolvers may still attempt to use outdated addressing.
This can lead to intermittent resolution failures, where some users can resolve the domain while others cannot, depending on cached data and resolver location.
It is critical to ensure that any change to nameserver infrastructure is reflected consistently at both the authoritative zone and the parent delegation level.
You can compare responses across multiple public resolvers to see whether inconsistent delegation data is still being observed.
Confusing glue with ordinary zone resolution
One of the most common troubleshooting mistakes is only checking authoritative DNS records inside the zone and ignoring delegation data held at the parent zone.
Glue records exist at the parent level, such as the TLD registry, not inside the child zone itself.
This means a domain can appear correctly configured when queried directly against its authoritative servers, but still fail for external users because the parent-level delegation data is wrong or incomplete.
Understanding the difference between authoritative answers and delegation data is essential when diagnosing glue-related DNS issues.
Outdated or inconsistent glue records
Glue records can become outdated if nameserver IP addresses change without updating the parent zone.
In these cases, resolvers may be directed to incorrect or unreachable IP addresses, leading to timeouts, SERVFAIL responses, or intermittent resolution issues.
Because glue records are cached across the DNS ecosystem, inconsistencies can persist even after corrections are made, which can make the issue appear regional or inconsistent.
This is why nameserver changes should always be planned carefully and validated end-to-end.
In-bailiwick vs out-of-bailiwick nameservers
Glue records are only required for in-bailiwick nameservers, where the nameserver hostname exists within the domain it serves.
Out-of-bailiwick nameservers, such as ns1.provider.com for example.com, do not require glue because their IP addresses can be resolved independently.
Choosing out-of-bailiwick nameservers can simplify DNS design and reduce the risk of glue-related issues, especially in more complex environments.
What to check
- Whether the nameserver is in-bailiwick and therefore requires glue
- Whether glue records exist at the parent zone
- Whether A or AAAA records for the nameserver are correct and reachable
- Whether glue records match the authoritative DNS configuration
- Whether recent DNS or infrastructure changes have been fully applied
- Whether DNS propagation or caching may still be affecting results
How to troubleshoot glue record issues
Start by identifying whether the domain uses in-bailiwick nameservers. If it does, verify that glue records exist at the parent zone and that they match the authoritative DNS records.
Use trace-based lookups to follow the full delegation path from the root servers down to the authoritative nameservers.
dig +trace example.comThis allows you to see exactly which nameservers and IP addresses are being returned at each stage of resolution.
You can also use DNS tools to inspect nameserver responses, compare resolver results, and review whether the problem is likely delegation-related or simply a caching delay.
If mismatches are found, update the glue records through your registrar or registry provider and allow time for propagation.
A practical rule of thumb
If a nameserver lives inside the namespace it serves, glue configuration becomes a critical part of DNS reliability.
That does not automatically mean the setup is wrong, but it does mean the delegation deserves closer scrutiny.
Where possible, simpler designs using external nameservers can reduce operational risk and make troubleshooting easier.