Forwarding not possible for subdomain Re: Finer control over REFUSED, e.g. root referrals

Fred Morris m3047 at m3047.net
Tue Sep 23 20:44:17 UTC 2025 

I got around to trying this in my test lab. It's not possible to forward
a zone (subdomain) when BIND 9.18 is authoritative for a higher-level
domain.

Not expecting an answer / workaround. There is an easy workaround if
recursion is ok, and that is to publish the glue in the TLD (you can see
it there commented out); do that and you don't need to forward. TLDR:
forwarding accomplishes nothing. Don't chase this squirrel.

The bigger issue is... the bigger issue. That would be to serve
forwarded zones as authoritative.

--

Fred Morris, internet plumber

--

On 9/8/25 7:42 AM, Michael Richardson wrote:
> Does this work:
>      * turn off recursion on the "front" facing server.
>      * use forwarders to forward to an internally facing server that does
>        have recursion on.  This can be an alias on lo.  It could even be a view.
>
> I'm not sure if will really work.... reads Bind9-doc..
>
>    "Forwarding can also be configured on a per-domain basis, allowing for the
>    global forwarding options to be overridden in a variety of
>    ways. Particular domains can be set to use different forwarders, or have a
>    different forward only/first behavior, or not forward at all; see zone."
>
> I'm unclear if forwarding is allowed when not recursing.

Forwarding is not allowed unless recursion is allowed. A note in
https://kb.isc.org/docs/using-private-name-space confirms a corrollary
of this:

    Zone types forward, stub and static-stub do not make your server
    authoritative for any zones so defined.

But there's opaque business logic, we'll get to that. The following
tests were both conducted with "recursion yes" in options.

*Test 1: Private TLD Defined*

Note that the "AA" flag is set in both responses (in spite of "recursion
yes").
**

===m3047-captive.fwd===
$TTL 600
@       IN SOA FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. (
           1    ; serial
           600  ; refresh 10 minutes
           60   ; retry 1 minute
           86400        ; expire 1 day
           600  ; minimum TTL 10 minutes
           )
        NS      FEDORA.SOPHIA.M3047.
        TXT     "This is a captive environment. Authorized use only."

FEDORA.SOPHIA   A       192.168.123.5

;REDIS          PTR     REDIS.FLAME
;               PTR     REDIS.ATHENA
;               PTR     REDIS.SOPHIA

;REDIS.FLAME    NS      FLAME
;REDIS.ATHENA   NS      RKVDNS.ATHENA
;REDIS.SOPHIA   NS      SOPHIA

;FLAME          A       10.0.0.253
;RKVDNS.ATHENA  A       10.0.0.231
;SOPHIA         A       10.0.0.224

===named.conf===
zone "m3047" {
    type master;
    file "m3047-captive.fwd";
};

zone "redis.athena.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.231; };
};

zone "redis.flame.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.253; };
};

zone "redis.sophia.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.224; };
};
===results===
m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
m3047.                  600     IN      SOA     FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. 1 600 60 86400 600
m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

*Test 2: Private TLD not defined*

Note that the "AA" flag is not set in responses.

===named.conf===
//zone "m3047" {                                                                                                                    
//    type master;                                                                                                                  
//    file "m3047-captive.fwd";                                                                                                     
//};                                                                                                                                

zone "redis.athena.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.231; };
};

zone "redis.flame.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.253; };
};

zone "redis.sophia.m3047" {
    type forward;
    forward only;
    forwarders { 10.0.0.224; };
};
===results===
m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2223
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
health.get.redis.sophia.m3047. 23 IN    TXT     "redis.sophia.m3047."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250923/2db3dd77/attachment-0001.htm>

More information about the bind-users mailing list