Root server cannot be a forwarder?

John Hascall john at
Tue Oct 24 20:10:42 UTC 2006

>              ... You can be both a root server and a forwarder, but your 
> forwarding would need to be limited and specific. You can't be a 
> "general" forwarder.

> Why on earth someone would want to combine those functions, I have no 
> idea. Worse come to worst, just set up separate views for the separate 
> functions (assuming you can differentiate your clients somehow).

One place where it gets used is in "NetReg" type systems
where the DNS for DHCP-unknown systems lies about the
address of almost every name (sending back the ip of the
NetReg server), BUT where you want to allow a limited
amount of leakage out of the NetReg Sandbox network
so people can do windows/virus updates before being
registered and let out on the "real internet".

So, for example, from /var/chroot/named/etc/named.conf on
my NetReg DNS box:

zone "." in {
        type master;
        file "db.root";

// needed windowsupdate domains
// Dear Microsoft, This list is ridiculous!

zone "" {
      type forward;
      forwarders {;;; };
 (about 18 more zones)
zone "" {
        type forward;
        forwarders {;;; };


Where, after NS records for all the forwarder zones, db.root ends up with:

*.                      IN      A
*.edu.                  IN      A
*.com.                  IN      A
*.net.                  IN      A


More information about the bind-users mailing list