Forwarding not possible for subdomain Re: Finer control over REFUSED, e.g. root referrals

Tue Sep 23 21:17:03 UTC 2025

You absolutely can zone forward a child domain if you load the parent. You
have to be sure that NS records for the child exist in the parent or the
server will ignore the forward.

On Tue, Sep 23, 2025, 4:44 PM Fred Morris <m3047 at m3047.net> wrote:

> I got around to trying this in my test lab. It's not possible to forward a
> zone (subdomain) when BIND 9.18 is authoritative for a higher-level domain.
>
> Not expecting an answer / workaround. There is an easy workaround if
> recursion is ok, and that is to publish the glue in the TLD (you can see it
> there commented out); do that and you don't need to forward. TLDR:
> forwarding accomplishes nothing. Don't chase this squirrel.
>
> The bigger issue is... the bigger issue. That would be to serve forwarded
> zones as authoritative.
>
> --
>
> Fred Morris, internet plumber
>
> --
> On 9/8/25 7:42 AM, Michael Richardson wrote:
>
> Does this work:
>      * turn off recursion on the "front" facing server.
>      * use forwarders to forward to an internally facing server that does
>        have recursion on.  This can be an alias on lo.  It could even be a view.
>
> I'm not sure if will really work.... reads Bind9-doc..
>
>    "Forwarding can also be configured on a per-domain basis, allowing for the
>    global forwarding options to be overridden in a variety of
>    ways. Particular domains can be set to use different forwarders, or have a
>    different forward only/first behavior, or not forward at all; see zone."
>
> I'm unclear if forwarding is allowed when not recursing.
>
> Forwarding is not allowed unless recursion is allowed. A note in
> https://kb.isc.org/docs/using-private-name-space confirms a corrollary of
> this:
>
> Zone types forward, stub and static-stub do not make your server
> authoritative for any zones so defined.
>
> But there's opaque business logic, we'll get to that. The following tests
> were both conducted with "recursion yes" in options.
>
> *Test 1: Private TLD Defined*
>
> Note that the "AA" flag is set in both responses (in spite of "recursion
> yes").
>
> ===m3047-captive.fwd===
> $TTL 600
> @       IN SOA FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. (
>            1    ; serial
>            600  ; refresh 10 minutes
>            60   ; retry 1 minute
>            86400        ; expire 1 day
>            600  ; minimum TTL 10 minutes
>            )
>         NS      FEDORA.SOPHIA.M3047.
>         TXT     "This is a captive environment. Authorized use only."
>
> FEDORA.SOPHIA   A       192.168.123.5
>
> ;REDIS          PTR     REDIS.FLAME
> ;               PTR     REDIS.ATHENA
> ;               PTR     REDIS.SOPHIA
>
> ;REDIS.FLAME    NS      FLAME
> ;REDIS.ATHENA   NS      RKVDNS.ATHENA
> ;REDIS.SOPHIA   NS      SOPHIA
>
> ;FLAME          A       10.0.0.253
> ;RKVDNS.ATHENA  A       10.0.0.231
> ;SOPHIA         A       10.0.0.224
>
> ===named.conf===
> zone "m3047" {
>     type master;
>     file "m3047-captive.fwd";
> };
>
> zone "redis.athena.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.231; };
> };
>
> zone "redis.flame.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.253; };
> };
>
> zone "redis.sophia.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.224; };
> };
> ===results===
> m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> --
> ;; ANSWER SECTION:
> m3047.                  600     IN      SOA     FEDORA.SOPHIA.M3047. CONSULTING.M3047.NET. 1 600 60 86400 600
> m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14789
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> *Test 2: Private TLD not defined*
>
> Note that the "AA" flag is not set in responses.
>
> ===named.conf===
> //zone "m3047" {
> //    type master;
> //    file "m3047-captive.fwd";
> //};
>
> zone "redis.athena.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.231; };
> };
>
> zone "redis.flame.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.253; };
> };
>
> zone "redis.sophia.m3047" {
>     type forward;
>     forward only;
>     forwarders { 10.0.0.224; };
> };
> ===results===
> m3047 at sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18844
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> m3047 at sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2223
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> --
> ;; ANSWER SECTION:
> health.get.redis.sophia.m3047. 23 IN    TXT     "redis.sophia.m3047."
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list.
>
-Ben Croswell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250923/1125d5a9/attachment.htm>