NXDomain reply after LAN IP response from forwarder for zone

[Jarrod Spencer Farrell]

That changes the response to ServFail, but probably appropriate on what I'm doing when reading into the option. (https://serverfault.com/a/1001622)

And watching `tcpdump` with me asking via `dig` without the extra clutter I was getting from my phone, I am noticing I missed another query being made when previously there was a lot of noise from my phone.

```
IP 10.0.10.3.38966 > 10.0.10.100.53: 32932+ [1au] A? firewall.my-home.net.lan. (62)
IP 10.0.10.100.7337 > 10.0.10.101.53: 6902+% [1au] A? firewall.my-home.net.lan. (62)
IP 10.0.10.101.53 > 10.0.10.100.7337: 6902* 1/0/1 A 10.96.48.1 (66)
IP 10.0.10.100.53823 > 10.0.10.101.53: 57793+% [1au] DS? firewall.my-home.net.lan. (62)
IP 10.0.10.101.53 > 10.0.10.100.53823: 57793* 0/0/1 (50)
IP 10.0.10.100.53 > 10.0.10.3.38966: 32932 ServFail 0/0/1 (78)
```

The VPS is asking for a DS answer. This seems to be a DNSSEC thing, and I don't think I need DNSSEC for this zone in particular.

I did notice `dnssec-must-be-secure` got deprecated and removed, so I removed it from my configuration. (https://gitlab.isc.org/isc-projects/bind9/-/issues/4263) I saw it in passing when searching for options and felt relevant to add in the config. Removing it doesn't change what the VPS does.

```named.conf
include "/etc/bind/rndc.key";
controls {
   inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};

acl cachenetworks {  127.0.0.0/24;  ::1/128;  10.0.10.0/24;  };
acl badnetworks {  };

options {
   listen-on {  any;  };
   listen-on-v6 {  any;  };
   allow-query-cache { cachenetworks; };
   blackhole { badnetworks; };
   forward first;
   forwarders {  9.9.9.9;  149.112.112.112;  2620:fe::fe;  2620:fe::9;  };
   directory "/run/named";
   pid-file "/run/named/named.pid";
   
};

zone "my-home.net.lan" {
   type forward;
   forward only;
   forwarders { 10.0.10.101; };
};
```

On 9/13/25 01:49, Mark Andrews wrote:
> Use “forward only:” for your local zones.