Are "Glue" records in DNS used only by nameservers of the same domain?

Solution 1:

And so Glue record will be present only for nameservers which are within the domain for which they are authoritative for. i.e they are required if has nameserver as and it will not be required if it is on another domain.

Sadly, this is an incorrect conclusion to draw. There's nothing to stop you from serving glue records that aren't strictly necessary. Let's say that I operate the nameservers for, and I want to delegate to

Defining the delegation is simple enough: IN NS

That should be enough by itself, but I could also define a glue record for it: IN A

This would cause my nameserver to include in the referrals for as glue. My nameservers aren't responsible for, and no sane nameserver on the internet is going to store that glue record in cache.

What they will do is assume that I want to be queried if is not currently in cache. This is fine...until the admins for change the IP address of My glue would be wrong, and in many cases this referral would break.

Solution 2:

You should be careful to not confuse glue records with additional section records. While it is true that glue records are placed in the additional section, not all additional records are glue.

In your example with, you're seeing additional records for ns1 and This happens because the .com zone happens to have A records for those name servers, but strictly speaking this is not glue. It is in included in the additional section as an optimization, to save a second lookup.

Note that glue data is not considered to be authoritative. If you try querying the .com name servers for a glue record, you'll get back a referral and you won't get the glue record in the answer section. This is what's happening in the case of and per one of the comments above. There is a host/glue record for but you can't see it by querying for it directly because you get the referral instead. Probably this host/glue record is no longer strictly necessary, but since it is there it is included in referrals that reference it.

.com and .net didn't always work this way. It was necessary to change their behavior before they were signed with DNSSEC. This NANOG post explains the change.