forwarding a subdomain

Edward Buck ed at
Tue Nov 16 02:56:36 UTC 2004

Barry Margolin wrote:
>  Edward Buck <ed at> wrote:
>>I'm trying to setup a subdomain via forwarding and I'm seeing some 
>>unexpected behavior (unexpected for me, not necessarily for bind or 
>>you).  Here's the scenario:
>>I have a public nameserver, i.e., which is authoritative 
>>for  In the zone file for, I've delegated a 
>>subdomain to another nameserver by doing:
>>sub      IN NS
>>ns1-sub  IN A  ; public ip
>>Now, on, I've configured bind with the following zone:
>>zone "" {
>>         type forward;
>>         forward first;
>>         forwarders {
>> port 10053; // private ip
>>         };
>>The host above is on a private network accessible to ns1-sub 
>>but not to the general public.
>>The goal is to have ns1-sub resolve all queries for the subdomain 
>> by forwarding each request to the internal server at 
>>Now, here's what I don't understand.  If I query ns1-sub directly for a 
>>host in (i.e., the forwarding works 
>>as expected.  If I query ns1-sub using a different nameserver (i.e. from 
>>my ISP nameserver), the query works ONLY If ns1-sub has cached the data. 
>>  If it's not in the cache, there's no answer.  This suggests that the 
>>forwarding doesn't work for recursive queries.
> When a recursive server is processing a query, it uses iterative mode, 
> so it doesn't set the "Recursion Desired" flag when it sends its 
> queries.  When it queries a server that isn't authoritative for the 
> zone, it expects to receive a referral, and it will then ask one of 
> those servers, repeating this process until it reaches the authoritative 
> servers.

Okay.  That makes sense.  Thanks for clarifying.

> In general, a subdomain can only be delegated to an authoritative 
> server, not a forwarding server.

So, is this a limitation by design?  Is there a workaround for what I'm 
trying to do?

If I delegate a subdomain to a nameserver, intuitively I would expect 
that nameserver to be authoritative for that subdomain regardless of 
whether the zone data is master, slave or a forward.

The use case I'm referring to is a private RBL on an internal lan 
running rbldnsd.  I was planning to run rbldnsd on an internal address 
and front-end it with bind to take advantage of bind's ACL support.  The 
scenario would be something like:

public rbl query
	v nameserver (bind with ACLs)
forward to internal server running rbldnsd
answer back to original query

At the moment, this only works for cached data.  Is there a way to force 
recursion on a forwarded subdomain for which the server is authoritative?


More information about the bind-users mailing list