Can we provide recursion for forward zones in response to iterative queries?

Mark Andrews marka at
Tue Apr 7 00:30:30 UTC 2020

As is private namespace *all* of you recursive servers should be configured to serve it.  This is similar to how all of your recursive nameservers know where the root servers are except you are using a slave zone instead of a hint zone.

i.e. {
	type slave;
	masters { <address of AD server>; };
	file “slave/”;// adjust to match your local conventions.
	request-ixfr no;	     // only use AXFR for as it is coming from AD as IXFR does not work well.
	forwarders { /* empty */ };  // use iterative resolution for the children of

Forwarding should NEVER be needed if servers are reachable at the IP level.  If the solution says “configure a forward zone” it is almost always wrong.

Do the similar for the top of all other private namespaces you are using.


> On 4 Apr 2020, at 03:06, bind-lists at wrote:
> Hi,
> In summary, my question is whether there is a way to configure a bind caching server to provide recursion in response to iterative queries for records in a forward type zone.
> The background is that we have:
> - AD domain controllers that are authoritative for all of in our data centers - most clients point to these for DNS resolution.
> - Linux bind caching resolvers in our data centers - domain controllers forward to these for anything they don’t own.
> - Some AWS VPCs which have been allocated subdomains of and are routable from our data centers. These have Route53 inbound endpoints which answer queries for those subdomains.
> - The bind caching resolvers have forwarding rules for those subdomains to the AWS inbound endpoints.
> The subdomains in our AWS VPCs have NS records, but the servers those point to refuse queries for records in the subdomains. The zone resolution is taken care of by the Route53 resolver service. The Route53 inbound endpoints successfully resolve queries from our data centers for those subdomains as long as the recursion desired flag is set to 1 in the query. If recursion desired is set to 0 they do not send any reply at all.
> We want to be able to resolve PTR records in the subdomains in the AWS VPCs from our data centers where, as I said above, the clients point to the domain controllers for DNS resolution.
> Because the AD domain controllers already own, they refuse to allow us to configure conditional forwarding for its subdomains. So we delegated the subdomains to the inbound endpoints. Because they are delegations, the domain controllers set the recursion desired flag to 0 on the queries they send to the endpoints, and we are not getting replies from the endpoints.
> As a workaround we tried delegating to our linux bind caching resolvers but we ran into the same issue, that the domain controllers set recursion desired to 0. As a result, when our linux caching servers have the result in cache, the lookup is successful, but when it would require a fresh lookup it gets a reply with no answers. Hence my question, is there a way to tell our bind caching resolvers to ignore the recursion desired flag and provide recursion anyway?
> Thanks,
> Maria
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at

More information about the bind-users mailing list