Behavior of 'forward only' zone

Tue Aug 20 22:05:23 UTC 2024

Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3

The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache, BIND needs to check
for itself, even if the resulting fetch is sent to the same forwarder.

Your resolver somehow needs to be able to get an answer to the target of
the CNAME. Not knowing your setup I can't say *how* it could do this. But
possibly by forwarding that name, or a (grand)parent of that domain to
another resolver that can get the answer for it?

Hope that helps.
Cheers, Greg

On Tue, 20 Aug 2024 at 21:28, John Thurston <john.thurston at alaska.gov>
wrote:

> We are asked to forward queries for foo.example.com to a set of private
> resolvers. So we have something like this in our .conf
>
> zone "foo.example.com" {type forward; forward only;
>         forwarders { 10.1.2.3; 10.1.4.5; };
> };
>
> And when queried for an A-record for bar.foo.example.com (and the
> A-record exists), the query is forwarded, the answer is received, cached,
> and returned to the customer.
>
> But in the case where bar.foo.example.com is an alias to a record in some
> other domain (e.g. foo.baz.local), the behavior is different.
>
> With a packet capture, I can see the query being forwarded to one of the
> targets (with the 'recursion desired' bit set). I can see the reply coming
> back with the 'recursion available' bit set, and the answer containing the
> CNAME, and the ultimate A-record. The distant server has performed the
> requested recursion.
>
> My recursive server does not, however, return the final A-record to the
> customer. It attempts to resolve the intermediate CNAME, and (since the
> CNAME is to another private domain of which I have no knowledge) it fails.
> An NXDOMAIN is returned to the customer.
>
> I understood the 'type forward' to be a 'hand off'. My server would set
> the rd-bit, forward the query on, and accept (and return) whatever answer
> was received. If I'm correctly interpreting what I see, my server will
> accept whatever answer is received but only for exactly the zone named in
> zone-statement. When the answer contains an alias to some other domain, my
> server hands that name back into its own recursing process.
>
> Is there some way to configure BIND so it will simply pass back to the
> customer whatever answer is received from the distant resolver?
>
>
> --
> --
> Do things because you should, not just because you can.
>
> John Thurston    907-465-8591John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240820/e32c82e4/attachment-0001.htm>