Bad glue record in .NET zone
Who is in charge of the gtld-servers (for .net)? They have an incorrect glue record for just one of our domains. For the other domains that use that server, the glue record is fine. Can't change it at Network Solutions - they claim the IP is correct.
Generally you would need to change those values with the registrar. Maybe try changing the registrar-set values to a different value and then back? I'm thinking it might force an update message to refresh the state. I think Network Solutions *is* in charge of gtld-servers.net On Fri, 20 Feb 2026 at 15:59, John Palmer via NANOG <nanog@lists.nanog.org> wrote:
Who is in charge of the gtld-servers (for .net)? They have an incorrect glue record for just one of our domains. For the other domains that use that server, the glue record is fine.
Can't change it at Network Solutions - they claim the IP is correct.
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GL25XDPX...
`550 Get a real e-mail address (ie one you pay for). We do not accept GMAIL or Yahoo email - too much spam.` - kinda hard to help with this sort of answer from your email service... I'd also point out that you can't actually tell if a gmail user pays for their account or not... but anyway, good luck ! On Fri, Feb 20, 2026 at 6:59 PM John Palmer via NANOG <nanog@lists.nanog.org> wrote:
Who is in charge of the gtld-servers (for .net)? They have an incorrect glue record for just one of our domains. For the other domains that use that server, the glue record is fine.
Can't change it at Network Solutions - they claim the IP is correct.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GL25XDPX...
+1 Also, if you provide the actual domain name people will be much more able to help you, for example by figuring out the registrar, if this does actually look like an issue, etc. W On Sat, Feb 21, 2026 at 1:29 PM, Christopher Morrow <nanog@lists.nanog.org> wrote:
`550 Get a real e-mail address (ie one you pay for). We do not accept GMAIL or Yahoo email - too much spam.` - kinda hard to help with this sort of answer from your email service...
I'd also point out that you can't actually tell if a gmail user pays for their account or not... but anyway, good luck !
On Fri, Feb 20, 2026 at 6:59 PM John Palmer via NANOG <nanog@lists.nanog.org> wrote:
Who is in charge of the gtld-servers (for .net)? They have an incorrect glue record for just one of our domains. For the other domains that use that server, the glue record is fine.
Can't change it at Network Solutions - they claim the IP is correct.
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GL25XDPX...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PDU3CRXF...
It appears that Jonathan Lassoff via NANOG <nanog@lists.nanog.org> said:
Generally you would need to change those values with the registrar. Maybe try changing the registrar-set values to a different value and then back? I'm thinking it might force an update message to refresh the state.
Those seem reasonable but I agree that if you want help, the actual names are essential.
I think Network Solutions *is* in charge of gtld-servers.net
No, that hasn't been the case for over 20 years. R's, John
On Sat, Feb 21, 2026 at 20:39 John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Jonathan Lassoff via NANOG <nanog@lists.nanog.org> said:
Generally you would need to change those values with the registrar. Maybe try changing the registrar-set values to a different value and then back? I'm thinking it might force an update message to refresh the state.
Those seem reasonable but I agree that if you want help, the actual names are essential.
Strong agree. Actual names could garner actual help vs. just speculation.
I think Network Solutions *is* in charge of gtld-servers.net
No, that hasn't been the case for over 20 years.
I guess I mean what’s left of them, and what is now called Verisign. The names on the domain haven’t changed, the stack has just changed owners.
We (Verisign) are not aware of any operational issues. That said, I have reached out to John directly to see if we could help troubleshoot the issue he is experiencing. @John please check my direct email to you.
On Sun, 22 Feb 2026, Jonathan Lassoff wrote:
I think Network Solutions *is* in charge of gtld-servers.net
No, that hasn't been the case for over 20 years.
I guess I mean what’s left of them, and what is now called Verisign. The names on the domain haven’t changed, the stack has just changed owners.
In 2000, Verisign bought Network Solutions which was the registry for .COM, .NET, and .ORG. As part of the process that created ICANN, in 2003 Verisign spun off NetSol as a registrar, and transferred .ORG to PIR, owned by the Internet Society. They kept the .COM and .NET registries. These days NetSol has been rolled up into Newfold Digital along with a lot of other registrars and hosting providers like web.com and Bluehost. Verisign is bigger than Newfold (most of whose income comes from stuff other than the registrars) and much bigger than PIR. The only other registry/registrar of similar size is Godaddy. None of this should be a surprise to anyone. But anyway, Verisign talks to registrars, and registrars talk to customers. If a glue record is broken, you need to talk to the registrar that is responsible for it. If we knew what the record was we could easily tell which registrar it is. R's, John
On Sun, Feb 22, 2026 at 1:48 PM John R. Levine via NANOG <nanog@lists.nanog.org> wrote:
But anyway, Verisign talks to registrars, and registrars talk to customers. If a glue record is broken, you need to talk to the registrar that is responsible for it. If we knew what the record was we could easily tell which registrar it is.
hazarding a guess: adns.net looks wonky :( a.gtld-servers.net says: ( for and NS set query) ;; ADDITIONAL SECTION: ns1.adns.net. 172800 IN A 199.5.157.2 ns2.adns.net. 172800 IN A 199.5.157.3 czones1.american-webmasters.net. 172800 IN A 199.5.157.129 czones2.american-webmasters.net. 172800 IN A 199.5.156.253 kovu.adns.net. 172800 IN A 199.5.157.52 nebula.adns.net. 172800 IN A 3.134.129.157 and the first in that list that replies fo dns requests: 3.134.129.157 / nebula.adns.net. says: NS1.ADNS.NET. 3600 IN A 199.5.157.2 NS2.ADNS.NET. 3600 IN A 199.5.157.3 KOVU.ADNS.NET. 3600 IN A 199.5.157.52 NEBULA.ADNS.NET. 3600 IN A 3.134.129.157 QUASAR.ADNS.NET. 3600 IN A 198.180.140.2 NS1.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d02 NS2.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d03 KOVU.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d34 NEBULA.ADNS.NET. 3600 IN AAAA 2600:1f16:ec1:a1b4:767d:df35:b9b9:2581 QUASAR.ADNS.NET. 3600 IN AAAA 2602:f813::1:c6b4:8c02 NONE of the 199.5/16 ips reply at all for dns.. that seems bad :( or at least 'sub optimal'. In that second answer the only not-aws IPv4 address that replies is: 198.180.140.2 -chris (yes this is the 'additional section' content from dig NS @<thing> domain)
Nope. The issue is that the glue record SLD1.WORLDROOT.NET has the wrong IP address on it (198.180.140.223) in the gtld-servers.net servers and there is no way that I can change it since Network Solutions has a broken website that doesn't show any glue records unless they were created on their website. Our domains were originally created at another registrar and apparently Network Solutions can't handle that. NS1, NS2, KOVU, NEBULA and QUASAR all answer properly forr ADNS.NET: ; <<>> DiG 9.14.7 <<>> ns adns.net @b.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21948 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;adns.net. IN NS ;; AUTHORITY SECTION: adns.net. 172800 IN NS ns1.adns.net. adns.net. 172800 IN NS ns2.adns.net. adns.net. 172800 IN NS czones1.american-webmasters.net. adns.net. 172800 IN NS czones2.american-webmasters.net. adns.net. 172800 IN NS kovu.adns.net. adns.net. 172800 IN NS nebula.adns.net. ;; ADDITIONAL SECTION: ns1.adns.net. 172800 IN A 199.5.157.2 ns2.adns.net. 172800 IN A 199.5.157.3 czones1.american-webmasters.net. 172800 IN A 199.5.157.129 czones2.american-webmasters.net. 172800 IN A 199.5.156.253 kovu.adns.net. 172800 IN A 199.5.157.52 nebula.adns.net. 172800 IN A 3.134.129.157 ;; Query time: 31 msec ;; SERVER: 2001:503:231d::2:30#53(2001:503:231d::2:30) ;; WHEN: Mon Feb 23 02:21:30 CST 2026 ;; MSG SIZE rcvd: 273 That also brings up another poiint about Netsol's website - it doesn't allow you to put an IP6 address on a glue record - it parses it as an invalid entry. We were dumped into Network Solutions against our will by the myriad of mergers (Dotster -> some other company -> Network Soltions). I could move them but transferring 50 domains is a PITA. Same problem with data centers. Hivelocity abandoned its Chicago and Miami customers. -----Original Message----- From: Christopher Morrow via NANOG <nanog@lists.nanog.org> Sent: Sunday, February 22, 2026 17:24 To: North American Network Operators Group <nanog@lists.nanog.org> Cc: John R. Levine <johnl@iecc.com>; Christopher Morrow <morrowc.lists@gmail.com> Subject: Re: Bad glue record in .NET zone On Sun, Feb 22, 2026 at 1:48 PM John R. Levine via NANOG <nanog@lists.nanog.org> wrote:
But anyway, Verisign talks to registrars, and registrars talk to customers. If a glue record is broken, you need to talk to the registrar that is responsible for it. If we knew what the record was we could easily tell which registrar it is.
hazarding a guess: adns.net looks wonky :( a.gtld-servers.net says: ( for and NS set query) ;; ADDITIONAL SECTION: ns1.adns.net. 172800 IN A 199.5.157.2 ns2.adns.net. 172800 IN A 199.5.157.3 czones1.american-webmasters.net. 172800 IN A 199.5.157.129 czones2.american-webmasters.net. 172800 IN A 199.5.156.253 kovu.adns.net. 172800 IN A 199.5.157.52 nebula.adns.net. 172800 IN A 3.134.129.157 and the first in that list that replies fo dns requests: 3.134.129.157 / nebula.adns.net. says: NS1.ADNS.NET. 3600 IN A 199.5.157.2 NS2.ADNS.NET. 3600 IN A 199.5.157.3 KOVU.ADNS.NET. 3600 IN A 199.5.157.52 NEBULA.ADNS.NET. 3600 IN A 3.134.129.157 QUASAR.ADNS.NET. 3600 IN A 198.180.140.2 NS1.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d02 NS2.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d03 KOVU.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d34 NEBULA.ADNS.NET. 3600 IN AAAA 2600:1f16:ec1:a1b4:767d:df35:b9b9:2581 QUASAR.ADNS.NET. 3600 IN AAAA 2602:f813::1:c6b4:8c02 NONE of the 199.5/16 ips reply at all for dns.. that seems bad :( or at least 'sub optimal'. In that second answer the only not-aws IPv4 address that replies is: 198.180.140.2 -chris (yes this is the 'additional section' content from dig NS @<thing> domain) _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JFVO7ZDL...
So this is clearly a network solutions issue.. not something the registry should get involved with. If their web interface doesn't let you make the necessary changes go to their support and escalate. They should be able to manually delete the old glue record. If you can't get anywhere with that my practical suggestion is to temporarily transfer it to a competent registrar, get the glue records sorted out and then if you must, move it back. Rob On 2026-02-23 08:22, John Palmer via NANOG wrote:
Nope.
The issue is that the glue record SLD1.WORLDROOT.NET has the wrong IP address on it (198.180.140.223) in the gtld-servers.net servers and there is no way that I can change it since Network Solutions has a broken website that doesn't show any glue records unless they were created on their website. Our domains were originally created at another registrar and apparently Network Solutions can't handle that.
NS1, NS2, KOVU, NEBULA and QUASAR all answer properly forr ADNS.NET:
; <<>> DiG 9.14.7 <<>> ns adns.net @b.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21948 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;adns.net. IN NS
;; AUTHORITY SECTION: adns.net. 172800 IN NS ns1.adns.net. adns.net. 172800 IN NS ns2.adns.net. adns.net. 172800 IN NS czones1.american-webmasters.net. adns.net. 172800 IN NS czones2.american-webmasters.net. adns.net. 172800 IN NS kovu.adns.net. adns.net. 172800 IN NS nebula.adns.net.
;; ADDITIONAL SECTION: ns1.adns.net. 172800 IN A 199.5.157.2 ns2.adns.net. 172800 IN A 199.5.157.3 czones1.american-webmasters.net. 172800 IN A 199.5.157.129 czones2.american-webmasters.net. 172800 IN A 199.5.156.253 kovu.adns.net. 172800 IN A 199.5.157.52 nebula.adns.net. 172800 IN A 3.134.129.157
;; Query time: 31 msec ;; SERVER: 2001:503:231d::2:30#53(2001:503:231d::2:30) ;; WHEN: Mon Feb 23 02:21:30 CST 2026 ;; MSG SIZE rcvd: 273
That also brings up another poiint about Netsol's website - it doesn't allow you to put an IP6 address on a glue record - it parses it as an invalid entry.
We were dumped into Network Solutions against our will by the myriad of mergers (Dotster -> some other company -> Network Soltions). I could move them but transferring 50 domains is a PITA.
Same problem with data centers. Hivelocity abandoned its Chicago and Miami customers.
-----Original Message----- From: Christopher Morrow via NANOG <nanog@lists.nanog.org> Sent: Sunday, February 22, 2026 17:24 To: North American Network Operators Group <nanog@lists.nanog.org> Cc: John R. Levine <johnl@iecc.com>; Christopher Morrow <morrowc.lists@gmail.com> Subject: Re: Bad glue record in .NET zone
On Sun, Feb 22, 2026 at 1:48 PM John R. Levine via NANOG <nanog@lists.nanog.org> wrote:
But anyway, Verisign talks to registrars, and registrars talk to customers. If a glue record is broken, you need to talk to the registrar that is responsible for it. If we knew what the record was we could easily tell which registrar it is.
hazarding a guess: adns.net looks wonky :(
a.gtld-servers.net says: ( for and NS set query) ;; ADDITIONAL SECTION: ns1.adns.net. 172800 IN A 199.5.157.2 ns2.adns.net. 172800 IN A 199.5.157.3 czones1.american-webmasters.net. 172800 IN A 199.5.157.129 czones2.american-webmasters.net. 172800 IN A 199.5.156.253 kovu.adns.net. 172800 IN A 199.5.157.52 nebula.adns.net. 172800 IN A 3.134.129.157
and the first in that list that replies fo dns requests: 3.134.129.157 / nebula.adns.net. says: NS1.ADNS.NET. 3600 IN A 199.5.157.2 NS2.ADNS.NET. 3600 IN A 199.5.157.3 KOVU.ADNS.NET. 3600 IN A 199.5.157.52 NEBULA.ADNS.NET. 3600 IN A 3.134.129.157 QUASAR.ADNS.NET. 3600 IN A 198.180.140.2 NS1.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d02 NS2.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d03 KOVU.ADNS.NET. 3600 IN AAAA 2602:f813::1:c705:9d34 NEBULA.ADNS.NET. 3600 IN AAAA 2600:1f16:ec1:a1b4:767d:df35:b9b9:2581 QUASAR.ADNS.NET. 3600 IN AAAA 2602:f813::1:c6b4:8c02
NONE of the 199.5/16 ips reply at all for dns.. that seems bad :( or at least 'sub optimal'. In that second answer the only not-aws IPv4 address that replies is: 198.180.140.2
-chris
(yes this is the 'additional section' content from dig NS @<thing> domain) _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JFVO7ZDL...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/U77RPIFU...
participants (8)
-
Christopher Morrow -
Ibro Seremet -
John Levine -
John Palmer -
John R. Levine
-
Jonathan Lassoff -
Robert McKay -
Warren Kumari