does zone trump forward?

Alan Shackelford ashackel at
Mon Jun 3 18:53:14 UTC 2013

I agree with Len. Whenever we merge a new location into our network, and the circuit is neither fat nor reliable, I make their DNS forward queries for our internal zones to us, keep authority for their own zones, and do recursion for everything else. This allows us to serve the users as we slowly homogenize the whole mess. The "pecking order" seems to be authoritative first, forward second, and recursion last.


Alan V. Shackelford                             Senior Systems Software Engineer
The Johns Hopkins University and Johns Hopkins Medical Institutions
Baltimore, Maryland USA          ashackel at<mailto:ashackel at>          410-735-4773

From: at [ at] On Behalf Of Leonard Mills
Sent: Sunday, June 02, 2013 3:29 PM
To: Jonathan Reed; bind-users
Subject: Re: does zone trump forward?

As I understand  AUTHORITATIVE trumps anything.  For example, from an inside intranet name server forward the root (".") to somewhere on your edge, sprinkle in a few internal-only authoritative zones, and enjoy.  This is certainly not the only choice, but it functions pretty well.


From: Jonathan Reed <cronstate at<mailto:cronstate at>>
To: bind-users <bind-users at<mailto:bind-users at>>
Sent: Sunday, June 2, 2013 12:10 PM
Subject: does zone trump forward?

I've only ever come across bind configs where forwarding is in place to locate certain zones, then all other queries are handled by either recursion or authoritatively. But what about the other way around, where I'm master for a few zones but forward the rest? Consider this:

view "the-internet" {
    recursion no;
    type forward;
    forwarders {; };
    zone "<>" {
        type master
        file "<>"

Whats confusing me is the implied configuration setting of forward first when the forward statement is used. If it truly forwards first, then I see an odd logical scenario happening. All queries are sent to the forwarder before being handled by localhost. Then, once the forwarder recognizes that I'm the master of<>, why would a loop not occur if the forwarder matches this view?
To ask the question another way, does the zone statement take precedence on matching queries over any forwarding?


Please visit to unsubscribe from this list

bind-users mailing list
bind-users at<mailto:bind-users at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list