DNS Glue & Delegation Check

Glue & Delegation Summary

{{ rows.length }} NS {{ checkCounts.pass }} pass {{ checkCounts.warn }} warn {{ checkCounts.fail }} fail Parent: {{ parentCandidate }} Resolver: {{ resolverUsed }}

Domain

Resolver:

Compare resolvers:

Check CNAME on NS:

Check DS records:

Concurrency:

workers

Timeout:

#	Nameserver	In-bailiwick	Glue required	A	AAAA	CNAME	Notes
{{ idx + 1 }}	{{ row.ns }}	{{ row.inBailiwick ? 'Yes' : 'No' }}	{{ row.glueRequired ? 'Yes' : 'No' }}	{{ row.a.join(', ') \|\| '-' }}	{{ row.aaaa.join(', ') \|\| '-' }}	{{ row.cname.join(', ') \|\| '-' }}	{{ row.note \|\| '-' }}

#	Check	Status	Notes
{{ idx + 1 }}	{{ c.label }}	{{ c.status }}	{{ c.note \|\| '-' }}

DS records ({{ dsRows.length }})

#	Parent nameserver	A	AAAA
{{ idx + 1 }}	{{ row.ns }}	{{ row.a.join(', ') \|\| '-' }}	{{ row.aaaa.join(', ') \|\| '-' }}

Resolver	Status	Code	Time	NS Snapshot
{{ e.resolver }}	{{ e.status }}	{{ e.code }}	{{ e.timeMs }} ms	{{ e.nsSnapshot \|\| '-' }}

Tags: DNS , Diagnostics , Networking , Security

Export to PDF Fullscreen

Include query parameters

Embed:

Customize embed code

Include query parameters

Wrap embed in collapsible toggle

Collapse panel by default

Hide card frame (bare iframe)

Loading behavior

Width

Height

Aspect ratio (width : height)

Max height (optional)

Collapsible heading

Collapsible description (optional)

Allow fullscreen

Referrer policy

Sandbox tokens

Domain Name System delegation is the chain of records that tells resolvers which nameservers are responsible for a domain. A domain delegation glue check helps you spot breakpoints before they show up as outages.

When a nameserver name sits inside the very zone it serves, resolvers often need extra address records from the parent zone to reach it. If those addresses are missing or inconsistent, lookups can fail in ways that are hard to reproduce.

Enter a domain and the checker retrieves the published nameserver set, then looks up address records for each nameserver host. It returns a delegation table plus a short set of pass, warn, and fail checks that explain what looks healthy and what needs attention.

Use it after a registrar change, a nameserver provider migration, or a nameserver renumbering to confirm that delegation still makes sense from a resolver point of view. If results look unstable, compare what two public resolvers report and rerun the check after caches have had time to refresh.

A clean result means the delegation appears consistent for the resolver you queried, not that every user sees the same answer. If you test internal hostnames or pre launch domains, treat the input as operational data and share it carefully.

Technical Details:

Domain Name System (DNS) delegation lives at a zone cut in the parent zone, where Name Server (NS) records point to the child zones authoritative nameservers. If a nameserver hostname is in-bailiwick, meaning it is inside the delegated domain, resolvers may require glue, which is A (IPv4) and AAAA (IPv6) address records published alongside the delegation in the parent.

This checker measures the delegation view that a recursive resolver returns for a domain, then expands each nameserver hostname into its address data. It flags which nameserver hosts are in-bailiwick, infers glue requirement from that relationship, and highlights missing address answers that can indicate glue breakage or a stalled rollout.

Results are summarized as per nameserver rows plus a small ruleset that emits PASS, WARN, and FAIL statuses. Optional checks look for Canonical Name (CNAME) indirection on nameserver hosts, query Delegation Signer (DS) records to indicate Domain Name System Security Extensions (DNSSEC) delegation, and compare Cloudflare and Google resolver snapshots to surface disagreement.

Because the tool relies on DNS over HTTPS (DoH) responses from public recursive resolvers, it reflects cache state and resolver policy. It cannot directly interrogate the parent authoritative servers, so glue related conclusions are best treated as strong hints rather than proofs.

How the check works

Sanitize the input into a bare hostname and remove leading and trailing dots.
Normalize the hostname to an ASCII form and use it as the query name.
If resolver is Auto, query Cloudflare first and fall back to Google on network failure.
If resolver comparison is enabled, query both resolvers for NS and record snapshots.
Query NS for the domain and parse unique nameserver hostnames from the answer data.
For each nameserver host, query A and AAAA, and optionally query CNAME.
Mark a host as in-bailiwick when it equals the domain or ends with dot plus domain.
Optionally query DS for the domain and NS plus addresses for the parent candidate zone.
Emit checks that grade the results and summarize likely delegation and glue issues.

Symbols and units

Symbols used in the delegation pipeline
Symbol	Meaning	Unit or datatype	Source
`D`	Delegated domain being checked	`string`	Input
`P`	Parent candidate derived by dropping the leftmost label of `D`	`string`	Derived
`NS`	Unique nameserver hostnames returned for `D`	`string[]`	Derived
`n`	Count of nameserver hosts	`integer`	Derived
`c`	Parallel worker count for nameserver host lookups	`integer`	Input
`T`	Per request timeout threshold	`ms`	Input
`S`	DoH JSON status code returned by the resolver	`integer`	Derived
`t`	Measured request duration	`ms`	Derived

Worked example

Suppose you check example.com and the resolver returns two nameserver hosts. One of them sits inside the delegated zone and fails to return any addresses.

n = 2

Parsed nameserver set:

ns1.example.com in-bailiwick
ns2.provider.test out of bailiwick

Address expansion outcome:

missing = 1

The checks would likely report PASS for having at least two nameservers, FAIL for missing in-bailiwick addresses, and WARN for overall nameserver resolution.

Status interpretation

Meaning of PASS WARN and FAIL
Status	Meaning	Action cue
PASS	Meets the rule with the current resolver answers.	Record the snapshot and proceed.
WARN	Suspicious, incomplete, or inconclusive based on the rule.	Compare resolvers, rerun later, or inspect authoritative data.
FAIL	Violates a rule that commonly causes delegation failures.	Fix delegation or address records before relying on the domain.

Parameters and computed checks

Parameters that affect lookup behavior
Parameter	Meaning	Unit or datatype	Typical range	Sensitivity	Notes
`resolver`	Recursive resolver queried via DoH	`auto \| cloudflare \| google`	auto	Medium	Auto uses Cloudflare first and falls back to Google on network failure.
`compare_resolvers`	Run NS lookups against both resolvers and compare snapshots	`boolean`	false	High	When enabled, disagreement adds a WARN check and evidence timing.
`check_cname_targets`	Query CNAME for each nameserver host	`boolean`	true	Medium	Disabled checks emit WARN with a note that the test was skipped.
`check_ds`	Query DS at the delegation point to indicate DNSSEC presence	`boolean`	true	Low	Absence yields WARN, presence yields PASS.
`concurrency`	Maximum parallel nameserver host lookups	`integer`	1 to 16	Low	Higher values reduce wall time but can amplify rate limits.
`timeout_ms`	Abort a single DoH request after this many milliseconds	`ms`	0 or 3500	Medium	0 means no extra timeout beyond the network stack.

Resolver endpoints and request shape

DoH requests are built as GET queries to one of these endpoints, with query parameters name, type, and ct=application/dns-json, plus an Accept: application/dns-json header.

DNS over HTTPS endpoints used by the checker
Constant	Value	Unit	Source	Notes
`RESOLVER_ENDPOINTS.cloudflare`	`https://cloudflare-dns.com/dns-query`	`URL`	Constant	Used for Auto first choice and for explicit Cloudflare selection.
`RESOLVER_ENDPOINTS.google`	`https://dns.google/resolve`	`URL`	Constant	Auto fallback and explicit Google selection.
`timeout_ms` default	`3500`	`ms`	Constant	Applied per request when greater than 0.
`concurrency` default	`6`	`workers`	Constant	Capped to 16 for nameserver host expansion.

Validation and bounds

Input validation rules and bounds
Field	Type	Min	Max	Step or pattern	Error text
Domain	`text`	—	—	Trim, strip `mailto:`, accept URL or email, remove trailing dot	`Domain is required.`
Concurrency	`number`	`1`	`16`	`1`	Clamped to `1` to `16` workers.
Timeout	`number`	`0`	—	`100`	`0` disables the extra abort timer.
Missing delegation	`result`	—	—	Empty NS answer set	`No NS records found.`

Input and output formats

Inputs and outputs produced by the checker
Input	Accepted families	Output	Encoding or precision	Rounding
Domain string	Bare hostname, URL hostname, or email domain	Delegation rows and checks	Unicode text	Not applicable
DoH timing	Measured per request	Resolver evidence time	Integer milliseconds	`Math.round`
Session state	Current results	Formatted JSON snapshot	Pretty printed with 2 space indent	Not applicable

Units, precision, and rounding

Concurrency and timeout inputs are treated as base 10 integers, and request durations are measured in milliseconds and rounded with Math.round. A DoH response is treated as successful only when the HTTP response is OK and the JSON Status field equals 0.

Networking and storage behavior

All lookups are performed from the browser by sending HTTPS requests to the selected DoH provider. The queried domain and nameserver hostnames are visible to that provider as part of normal resolution.

The script does not write results to local storage or session storage. Exports are generated from the current in memory tables and downloaded to your device when requested.

Performance notes

Network work is proportional to the number of nameservers returned for the domain.
Per nameserver host, the checker makes two queries for A and AAAA, plus an optional CNAME query.
Optional DS adds one query for the domain, and parent context adds one NS query plus A and AAAA lookups for each parent nameserver.
Parallelism is limited to at most 16 concurrent workers for nameserver host expansion.

Diagnostics and determinism

Given the same resolver answers, the same input produces the same parsed nameserver set, in-bailiwick classification, and check statuses. In practice, caches, propagation, and timeouts can change answers between runs, which is why the resolver comparison option can be useful for triage.

Security considerations

Input is sanitized to extract a hostname and remove obvious URL and email wrappers.
Because lookups are cross origin fetch requests, network filters and CORS policy can block queries.
Results reflect recursive resolver caches and may differ from authoritative truth.
Heads-up The A and AAAA columns show raw answer data and do not validate IP syntax.
Formatted JSON is rendered with a syntax highlighter, so escaping must remain correct for safety.

Assumptions and limitations

The parent candidate is computed by dropping the leftmost label and may not match public suffix boundaries.
Glue requirement is inferred from in-bailiwick detection and is not verified in the parent zone.
The tool cannot directly query authoritative servers, so it cannot confirm glue presence at the delegation point.
Resolver Auto falls back only when the first request fails at the network layer.
DoH status codes are surfaced but not decoded into human readable resolver errors.
Nameserver hostnames are normalized by lowercasing and removing a trailing dot.
Missing A and AAAA answers yield WARN for overall resolution even if only one host is affected.
DS presence indicates a DNSSEC delegation signal but does not confirm end to end validation.
Timeout is per request and does not cap total run time for large nameserver sets.
Heads-up A resolver that returns CNAME data in an A query can be misread as an address.

Edge cases and error sources

Internationalized domains can normalize to different ASCII forms depending on the URL parser.
Trailing dots, leading dots, and repeated dots are stripped before querying.
Uppercase hostnames are lowercased, which can hide case sensitive presentation differences.
Empty or missing Answer arrays in DoH responses lead to apparent missing records.
NXDOMAIN and SERVFAIL are represented only as nonzero DoH status codes.
Split horizon DNS can make public resolvers disagree with private resolver answers.
Stale cache effects can keep old nameserver sets visible after a change.
Rate limits can appear as timeouts when concurrency is set high.
Signed zero and NaN inputs for numeric fields can degrade to a single worker behavior.
Unicode normalization differences can affect comparisons when inputs contain non ASCII characters.
CNAME chains can create confusing displays when data is returned in unexpected record types.
Abort timing is best effort and can vary under heavy load.

Standards context

Core delegation behavior is described in RFC1034 and RFC1035. DNSSEC delegation signaling is covered by the DNSSEC RFC series such as RFC4033, and DoH transport is specified by RFC8484.

Privacy and compliance

Domain names can be sensitive operational data, and this checker sends queries to public DoH providers, so align usage with your organizations privacy and security guidance.

Step-by-Step Guide:

DNS delegation and glue issues show up as missing nameservers or missing nameserver addresses, and this guide helps you confirm what resolvers can reach.

Enter the Domain you expect to be delegated. Sensitive Avoid testing confidential domains on public resolvers.
Select a resolver, or keep Auto to try Cloudflare first.
If you suspect cache differences, enable Compare resolvers.
Keep Check CNAME enabled to catch non canonical nameserver hosts.
Enable Check DS if you expect DNSSEC signaling.
Adjust Concurrency for speed, and raise Timeout on slow networks.
Run the check and review the delegation rows for in-bailiwick hosts with missing addresses.
Use the checks summary to decide whether you need a registrar update, glue fix, or propagation wait.

Example After moving a domain to new nameservers, confirm there are at least two nameserver hosts and that any in-bailiwick host has address records.

If the resolver comparison shows disagreement, treat the change as still propagating or cached and rerun after some time.

Prefer resolver comparison when you are debugging intermittent reports from different networks.
Lower concurrency if you see repeated timeouts or blocking from the resolver endpoint.
Copy a snapshot when you need to share findings with a registrar or DNS provider.

Pro tip: run the check before and after a delegation change and compare the snapshots to confirm what actually moved.

When checks are stable, you have a clear snapshot of delegation health from the chosen resolver.

Features:

Detect in-bailiwick nameservers and infer likely glue requirements.
Resolve nameserver hosts to A and AAAA data and flag missing answers.
Optionally check for CNAME records on nameserver hostnames.
Optionally query DS records to indicate DNSSEC delegation signaling.
Optionally compare Cloudflare and Google resolver NS snapshots with timing and status codes.
Export the current results as CSV, DOCX, or JSON for sharing and record keeping.

FAQ:

Is my data stored?

The checker keeps results in memory for the current page session and does not write to local storage or session storage. It does send DNS queries to the selected DoH provider.

Which records are checked?

It queries NS for the delegated domain, then A and AAAA for each nameserver host. Optional checks query CNAME on nameserver hosts and DS at the delegation point.

Parent context adds NS and address lookups for the derived parent candidate zone.

What does WARN mean?

WARN means the rule found something incomplete or uncertain, such as a nameserver host with no A or AAAA answer, or two resolvers returning different NS sets.

How accurate is it?

It is accurate for what the chosen recursive resolver reports at that moment. It cannot prove what the parent authoritative servers publish, so glue conclusions are inferred.

Can I run it offline?

No. The tool must reach the configured DoH endpoint to retrieve delegation and address data, so disconnected use will fail.

How do I check glue?

Look for nameserver hosts marked in-bailiwick and verify they have at least one A or AAAA answer. Missing addresses are a common sign of glue problems.

What formats are available?

You can copy or download the delegation and checks tables as CSV, export a DOCX report, and download a JSON snapshot of the full state.

Cost and licensing?

This page does not declare pricing or licensing terms in its metadata. Treat usage rights and any costs as defined by the site that hosts it.

Troubleshooting:

No NS records found means the resolver returned an empty answer set, recheck the domain spelling and delegation state.
Nameserver hostnames resolve WARN often means one host has no A or AAAA answer, verify address records and glue.
Canonical nameserver FAIL means a CNAME answer was returned for a nameserver host, use the canonical target instead.
Resolver agreement WARN means Cloudflare and Google returned different NS sets, rerun later and compare again.
Many timeouts usually improve by lowering concurrency or raising the per request timeout.
Unexpected parent context can happen for multi label public suffixes, since the parent candidate is a simple label drop.

If every lookup fails with timeouts or errors, your network may block access to public DoH endpoints, or the endpoint may be temporarily unreachable.

Advanced Tips:

Tip Use resolver comparison before changing registrars to catch stale delegation views.
Tip Treat in-bailiwick hosts without addresses as urgent, they can strand the delegation.
Tip Keep timeout at 0 only when your network stack already enforces a strict limit.
Tip Snapshot results before and after a change to build an audit trail of what resolvers saw.
Tip When CNAME checks fail, update delegation to point at canonical nameserver hostnames.
Tip Lower concurrency when testing from restricted networks to avoid triggering rate limits.

Glossary:

Delegation: Parent zone records that point a domain to its authoritative nameservers.
Glue: Address records in the parent zone needed to reach in-bailiwick nameserver hostnames.
In-bailiwick: A nameserver hostname that lies inside the domain it serves.
NS record: A record that lists a domains authoritative nameserver hostname.
A record: An IPv4 address record for a hostname.
AAAA record: An IPv6 address record for a hostname.
CNAME record: An alias record that points one hostname to another canonical hostname.
DS record: Delegation Signer record that indicates DNSSEC delegation from the parent.
DNSSEC: Domain Name System Security Extensions that add cryptographic signing to DNS data.
DoH: DNS over HTTPS transport used to query recursive resolvers via HTTPS.
Recursive resolver: A resolver that follows delegations and caches answers for clients.
Status code: Numeric result code returned in the DoH JSON response.