You absolutely can zone forward a child domain if you load the parent. You have to be sure that NS records for the child exist in the parent or the server will ignore the forward.
On Tue, Sep 23, 2025, 4:44 PM Fred Morris <[email protected]> wrote: > I got around to trying this in my test lab. It's not possible to forward a > zone (subdomain) when BIND 9.18 is authoritative for a higher-level domain. > > Not expecting an answer / workaround. There is an easy workaround if > recursion is ok, and that is to publish the glue in the TLD (you can see it > there commented out); do that and you don't need to forward. TLDR: > forwarding accomplishes nothing. Don't chase this squirrel. > > The bigger issue is... the bigger issue. That would be to serve forwarded > zones as authoritative. > > -- > > Fred Morris, internet plumber > > -- > On 9/8/25 7:42 AM, Michael Richardson wrote: > > Does this work: > * turn off recursion on the "front" facing server. > * use forwarders to forward to an internally facing server that does > have recursion on. This can be an alias on lo. It could even be a > view. > > I'm not sure if will really work.... reads Bind9-doc.. > > "Forwarding can also be configured on a per-domain basis, allowing for the > global forwarding options to be overridden in a variety of > ways. Particular domains can be set to use different forwarders, or have a > different forward only/first behavior, or not forward at all; see zone." > > I'm unclear if forwarding is allowed when not recursing. > > Forwarding is not allowed unless recursion is allowed. A note in > https://kb.isc.org/docs/using-private-name-space confirms a corrollary of > this: > > Zone types forward, stub and static-stub do not make your server > authoritative for any zones so defined. > > But there's opaque business logic, we'll get to that. The following tests > were both conducted with "recursion yes" in options. > > *Test 1: Private TLD Defined* > > Note that the "AA" flag is set in both responses (in spite of "recursion > yes"). > > ===m3047-captive.fwd=== > $TTL 600 > @ IN SOA FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. ( > 1 ; serial > 600 ; refresh 10 minutes > 60 ; retry 1 minute > 86400 ; expire 1 day > 600 ; minimum TTL 10 minutes > ) > NS FEDORA.SOPHIA.M3047. > TXT "This is a captive environment. Authorized use only." > > FEDORA.SOPHIA A 192.168.123.5 > > ;REDIS PTR REDIS.FLAME > ; PTR REDIS.ATHENA > ; PTR REDIS.SOPHIA > > ;REDIS.FLAME NS FLAME > ;REDIS.ATHENA NS RKVDNS.ATHENA > ;REDIS.SOPHIA NS SOPHIA > > ;FLAME A 10.0.0.253 > ;RKVDNS.ATHENA A 10.0.0.231 > ;SOPHIA A 10.0.0.224 > > ===named.conf=== > zone "m3047" { > type master; > file "m3047-captive.fwd"; > }; > > zone "redis.athena.m3047" { > type forward; > forward only; > forwarders { 10.0.0.231; }; > }; > > zone "redis.flame.m3047" { > type forward; > forward only; > forwarders { 10.0.0.253; }; > }; > > zone "redis.sophia.m3047" { > type forward; > forward only; > forwarders { 10.0.0.224; }; > }; > ===results=== > m3047@sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER > SECTION' > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > -- > ;; ANSWER SECTION: > m3047. 600 IN SOA FEDORA.SOPHIA.M3047. > CONSULTING.M3047.NET. 1 600 60 86400 600 > m3047@sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep > -E -A1 '>HEADER<| ANSWER SECTION' > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14789 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > *Test 2: Private TLD not defined* > > Note that the "AA" flag is not set in responses. > > ===named.conf=== > //zone "m3047" { > // type master; > // file "m3047-captive.fwd"; > //}; > > zone "redis.athena.m3047" { > type forward; > forward only; > forwarders { 10.0.0.231; }; > }; > > zone "redis.flame.m3047" { > type forward; > forward only; > forwarders { 10.0.0.253; }; > }; > > zone "redis.sophia.m3047" { > type forward; > forward only; > forwarders { 10.0.0.224; }; > }; > ===results=== > m3047@sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER > SECTION' > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18844 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > m3047@sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep > -E -A1 '>HEADER<| ANSWER SECTION' > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2223 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > -- > ;; ANSWER SECTION: > health.get.redis.sophia.m3047. 23 IN TXT "redis.sophia.m3047." > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list. > -Ben Croswell
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
