Forward Zone

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 7 01:30:43 UTC 2000


Michael Colterman wrote:

> I did a quick browse through some archives and haven't been able to find the
> answer to my question so I'll try here now.
>
> If you have a forward zone what would be the purpose or benefit of having
> the option forward (only | first) defined?  From the documentation I have
> with BIND 8.2.3 it says "The only value causes the lookup to fail after
> trying the forwarders and getting no answer, while first would allow a
> normal lookup to be tried."  Having first wouldn't allow a normal update
> because it is a forward zone, right?
>
> I am not understanding the need for these options in a forward zone.

I like to refer to "forward first" as "opportunistic" forwarding. It will try
the forwarders, but if that doesn't work, fall back to regular iterative (i.e.
non-forwarding) mechanisms for resolving the query. Opportunistic forwarding is
appropriate in cases where you are forwarding only as a performance
optimization, i.e. you have one or more central machines on your local network
building up a large cache of query responses and answering more quickly to
other local nodes, than the remote, authoritative nameservers themselves
typically would. The thing to remember about opportunistic forwarding is that
you should never get a fundamentally *different* answer from the forwarder
(notwithstanding change-propagation delays) than you would if you went out and
asked the authoritative nameservers themselves. Opportunistic forwarding is
just a way of (hopefully) getting the same data *faster* than if forwarding
were not used at all.

"forward only", on the other hand, is "strict" forwarding. *ONLY* the
forwarders are used. This is appropriate when you are using forwarding to get
around some sort of connectivity issue (most commonly, you want internal
machines to be able to resolve Internet names for some reason), or, when used
on a per-domain basis, you want to "redirect" queries in a particular domain to
a specific set of nameservers because they possess a "special" version of the
domain in a split-DNS scenario. Strict forwarding allows you to resolve queries
that you ordinarily wouldn't be able to resolve at all because of connectivity
issues, or, if you could, to get fundamentally different answers than you would
get in the absence of forwarding. Note that "slave" or "stub" zones are an
alternative to forwarding in the latter (redirection) case, but you may need to
specify "forwarders { }" in the zone definition to inhibit any global
forwarding that may otherwise apply to names in subzones of that zone.


- Kevin




More information about the bind-users mailing list