That diagram is crazy, I can’t make sense out of what it is trying to convey about how the pieces fit together.
They’re the same (authoritative). The only TLD name servers Google would own/operate would be for TLDs they own (I think they own a few TLDs, but not the common ones like .com, .net, .org, or the country ones).
All you need to know is that, at your registrar, you have to delegate authority for your zone(s) to the right DNS servers (whether that is Virtualmin managed BIND servers, or some service like Google’s cloud domain service or Route 53 or your registrars DNS servers).
If Google Domains is your registrar, then they are also where you have to create the glue records to point to whatever name servers you want. That’s what registrars do. They are the link between your domain name and the world’s DNS infrastructure.
No. You cannot talk to the TLD or root name servers at all. (I mean, you can query them, but you cannot alter records there.)
Your VPS has nothing to do with anything upstream of it in the DNS hierarchy. Only your registrar can delegate to you. You cannot directly alter anything in the root/TLD name servers (and you don’t need to have any awareness of how they work), all you can do is tell your registrar to update it on your behalf.
Delegation means that when a user makes a request for your domain, a DNS server (a resolving server in that diagram) that hasn’t already cached the information will ask a root name server who to query, and will bounce down through the hierarchy until it reaches the delegation records that point them to your name servers. Clients always ask your name servers (I’m including Google’s name servers the definition of “your name servers” since you have direct control over the records there) for records in your zone. Nothing above your name servers has any records about your domain except delegation information, who is authoritative for the zone.
Making Virtualmin authoritative for your zone(s) is one step, or possibly a few extras, depending on how your registrar handles it. Some registrars require you to already have name server names that resolve on the internet; so springing a new domain into existence is a few extra steps. Some registrars have a bit of magic in their Name Servers (or Glue Records or Delegation) page that handles those multiple steps for you, allowing you to enter both names and IP addresses for your name servers.
In the former, more complicated case, you need to leave authority with your registrar (Google in this case) while you create A records for each of your new name servers (at least two, the Virtualmin server and one secondary that is setup as a slave according to our docs on the topics) on their name servers. Once the A records for ns1.domain.tld and ns2.domain.tld are resolving correctly, you can then enter those into the name server page of your registrar, and that’ll probably all work out.
But, all of this is highly dependent on how your registrar does things. Understanding the concepts is more important than the specific process. If you understand what you’re trying to do (delegate authority for your zone(s) to your Virtualmin server and its secondary), you can figure out how to do it with whatever GUI and process the registrar requires.
