Forwarding not possible for subdomain Re: Finer control over REFUSED, e.g. root referrals
Fred Morris
m3047 at m3047.net
Tue Sep 23 20:44:17 UTC 2025
I got around to trying this in my test lab. It's not possible to forward
a zone (subdomain) when BIND 9.18 is authoritative for a higher-level
domain.
Not expecting an answer / workaround. There is an easy workaround if
recursion is ok, and that is to publish the glue in the TLD (you can see
it there commented out); do that and you don't need to forward. TLDR:
forwarding accomplishes nothing. Don't chase this squirrel.
The bigger issue is... the bigger issue. That would be to serve
forwarded zones as authoritative.
--
Fred Morris, internet plumber
--
On 9/8/25 7:42 AM, Michael Richardson wrote:
> Does this work:
> * turn off recursion on the "front" facing server.
> * use forwarders to forward to an internally facing server that does
> have recursion on. This can be an alias on lo. It could even be a view.
>
> I'm not sure if will really work.... reads Bind9-doc..
>
> "Forwarding can also be configured on a per-domain basis, allowing for the
> global forwarding options to be overridden in a variety of
> ways. Particular domains can be set to use different forwarders, or have a
> different forward only/first behavior, or not forward at all; see zone."
>
> I'm unclear if forwarding is allowed when not recursing.
Forwarding is not allowed unless recursion is allowed. A note in
https://kb.isc.org/docs/using-private-name-space confirms a corrollary
of this:
Zone types forward, stub and static-stub do not make your server
authoritative for any zones so defined.
But there's opaque business logic, we'll get to that. The following
tests were both conducted with "recursion yes" in options.
*Test 1: Private TLD Defined*
Note that the "AA" flag is set in both responses (in spite of "recursion
yes").
**
===m3047-captive.fwd===
$TTL 600
@ IN SOA FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. (
1 ; serial
600 ; refresh 10 minutes
60 ; retry 1 minute
86400 ; expire 1 day
600 ; minimum TTL 10 minutes
)
NS FEDORA.SOPHIA.M3047.
TXT "This is a captive environment. Authorized use only."
FEDORA.SOPHIA A 192.168.123.5
;REDIS PTR REDIS.FLAME
; PTR REDIS.ATHENA
; PTR REDIS.SOPHIA
;REDIS.FLAME NS FLAME
;REDIS.ATHENA NS RKVDNS.ATHENA
;REDIS.SOPHIA NS SOPHIA
;FLAME A 10.0.0.253
;RKVDNS.ATHENA A 10.0.0.231
;SOPHIA A 10.0.0.224
===named.conf===
zone "m3047" {
type master;
file "m3047-captive.fwd";
};
zone "redis.athena.m3047" {
type forward;
forward only;
forwarders { 10.0.0.231; };
};
zone "redis.flame.m3047" {
type forward;
forward only;
forwarders { 10.0.0.253; };
};
zone "redis.sophia.m3047" {
type forward;
forward only;
forwarders { 10.0.0.224; };
};
===results===
m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
m3047. 600 IN SOA FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. 1 600 60 86400 600
m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
*Test 2: Private TLD not defined*
Note that the "AA" flag is not set in responses.
===named.conf===
//zone "m3047" {
// type master;
// file "m3047-captive.fwd";
//};
zone "redis.athena.m3047" {
type forward;
forward only;
forwarders { 10.0.0.231; };
};
zone "redis.flame.m3047" {
type forward;
forward only;
forwarders { 10.0.0.253; };
};
zone "redis.sophia.m3047" {
type forward;
forward only;
forwarders { 10.0.0.224; };
};
===results===
m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2223
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
health.get.redis.sophia.m3047. 23 IN TXT "redis.sophia.m3047."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250923/2db3dd77/attachment-0001.htm>
More information about the bind-users
mailing list