Forwarding from delegated zone not working

[Tony Finch]

seanliam73 <sean.oreilly at landg.com> wrote:
>
> I know the forwarding is working because I can query the main bind9
> instance at receive the expected results. However if I query from the AD
> server that is doing the delegation I get a SERVFAIL error.

I guess one possible cause for this problem might be if the AD server is
making iterative queries (RD=0) rather than recursive queries (RD=1). In
this the BIND forwarding setup will not work because forwarding only
applies to recursive queries.

It's probably more reliable to set up the subdomain and sub-sub-domains
with proper delegations, so that normal iterative resolution works.

A few unrelated notes...

> options {
>         directory "/var/named";
>         listen-on port 53 { listen addr; };
>         auth-nxdomain yes;

Don't use this option, it has been useless since 2001.

>         recursion yes;
>         allow-query { ip addresses; };
>         listen-on-v6 { any; };
>         dnssec-enable no;

There should not be any reason to turn off DNSSEC support.

>         dnssec-validation no;
>         dnssec-lookaside auto;

dnssec-lookaside is now obsolete, but even before it was decommissioned
these two lines contradicted each other!

> };

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea, Southeast Shannon: Southwesterly 5 to 7,
occasionally gale 8 later. Slight or moderate, becoming moderate or rough.
Occasional rain. Moderate or good, occasionally poor.