authoritative "forward" zone - possible?

Justin Mason jm at
Sat Oct 16 21:54:30 UTC 2004

Hi there -- I'm trying an unusual situation here, and it doesn't
seem to be working.

I have a dynamic zone, and a daemon that will act as a nameserver,
generating data in that zone based on queries coming from clients.
rbldnsd is a good example of this.

I don't want to dedicate an IP address to this zone, so I thought
a good way to do this would be to use BIND's "type forward" zone

  zone "" IN {
          type forward;
          forward first;
          forwarders {
         port 55;

IOW, run the non-BIND ns on port 55, and let clients access it through
BIND's forwarded zone.   This means I can keep BIND running on that
machine, great!

So: this works if I point clients at the nameserver directly; but if I let
them use the normal TLD delegation lookup, it fails.

The 2LD zone delegates to the subdomain correctly (afaik): IN SOA (
                                          3600 600 604800 3600 )       IN NS IN A       IN NS  IN A     IN NS   IN A

(Note: that's on another server entirely,

A "dig +trace", however, seems to indicate that the ns2 host (where the
forward zone is running) doesn't want to be authoritative for the zone:

  : jm 1726...; dig TXT +trace

  ; <<>> DiG 9.2.4rc5 <<>> TXT +trace
  ;; global options:  printcmd
  .                       517766  IN      NS      H.ROOT-SERVERS.NET.
  .                       517766  IN      NS      I.ROOT-SERVERS.NET.
  .                       517766  IN      NS      J.ROOT-SERVERS.NET.
  .                       517766  IN      NS      K.ROOT-SERVERS.NET.
  .                       517766  IN      NS      L.ROOT-SERVERS.NET.
  .                       517766  IN      NS      M.ROOT-SERVERS.NET.
  .                       517766  IN      NS      A.ROOT-SERVERS.NET.
  .                       517766  IN      NS      B.ROOT-SERVERS.NET.
  .                       517766  IN      NS      C.ROOT-SERVERS.NET.
  .                       517766  IN      NS      D.ROOT-SERVERS.NET.
  .                       517766  IN      NS      E.ROOT-SERVERS.NET.
  .                       517766  IN      NS      F.ROOT-SERVERS.NET.
  .                       517766  IN      NS      G.ROOT-SERVERS.NET.
  ;; Received 436 bytes from in 1 ms

  org.                    172800  IN      NS      TLD1.ULTRADNS.NET.
  org.                    172800  IN      NS      TLD2.ULTRADNS.NET.
  ;; Received 119 bytes from in 96 ms               86400   IN      NS               86400   IN      NS
  ;; Received 90 bytes from in 41 ms             3600    IN      NS
  ;; Received 72 bytes from in 186 ms

  org.                    170720  IN      NS      TLD1.ULTRADNS.NET.
  org.                    170720  IN      NS      TLD2.ULTRADNS.NET.
  ;; Received 87 bytes from in 34 ms

So the request never gets forwarded to the forwardee nameserver daemon --
this happens within BIND.  Is there any way to make BIND think it's
authoritative for that zone?   Am I missing something?  Have I screwed up
my delegation there?

(BTW, the zone is currently down, so any queries to that
will fail.)


More information about the bind-users mailing list