<div dir="auto"><div>I guess i made the assumption that zone was properly forwarded at the MS end.</div><div dir="auto"><br></div><div dir="auto"> However as you mentioned if it was only delegated then it would SERVFAIL at the BIND server when receiving an iterative query from MS if BIND isn't authoritative.<br><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <<a href="mailto:kevin.darcy@fcagroup.com">kevin.darcy@fcagroup.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_-5117545161302303737WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">The assumption I made in my post was that the delegation was pointed to the forwarding BIND instance, which is a non-starter.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="m_-5117545161302303737MsoListParagraph" style="margin-left:5.75in">
<u></u><span style="font-size:11.0pt;color:black"><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Kevin<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> bind-users [mailto:<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@<wbr>lists.isc.org</a>]
<b>On Behalf Of </b>Ben Croswell<br>
<b>Sent:</b> Tuesday, October 10, 2017 11:38 AM<br>
<b>To:</b> seanliam73 <<a href="mailto:sean.oreilly@landg.com" target="_blank">sean.oreilly@landg.com</a>><br>
<b>Cc:</b> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<b>Subject:</b> Re: Forwarding from delegated zone not working<u></u><u></u></span></p><div class="elided-text">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">If the AD environment loads <a href="http://company.com" target="_blank">company.com</a> you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Oct 10, 2017 11:22 AM, "seanliam73" <<a href="mailto:sean.oreilly@landg.com" target="_blank">sean.oreilly@landg.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Hi<br>
<br>
I have a subdomain delegated from AD to a bind9 instance I have running that<br>
so that all requests for that subdomain are sent to the bind 9 instance. I<br>
would then like to set up zone forwarding so that further subdomains can be<br>
managed by other bind 9 instances.<br>
<br>
I know the forwarding is working because I can query the main bind9 instance<br>
at receive the expected results. However if I query from the AD server that<br>
is doing the delegation I get a SERVFAIL error.<br>
<br>
Am I trying to do something that is not possible or am I just missing some<br>
configuration.<br>
<br>
*main instance config*<br>
<br>
options {<br>
directory "/var/named";<br>
listen-on port 53 { listen addr; };<br>
auth-nxdomain yes;<br>
recursion yes;<br>
allow-query { ip addresses; };<br>
listen-on-v6 { any; };<br>
dnssec-enable no;<br>
dnssec-validation no;<br>
dnssec-lookaside auto;<br>
};<br>
<br>
logging {<br>
channel default_debug {<br>
file "data/named.run";<br>
severity debug 3;<br>
};<br>
<br>
channel querylog {<br>
file "data/query.log";<br>
severity debug 5;<br>
};<br>
<br>
category default { default_debug; };<br>
category queries { querylog; };<br>
};<br>
<br>
zone "<a href="http://example.company.com" target="_blank">example.company.com</a>" IN {<br>
type forward;<br>
forward only;<br>
forwarders { ip address; };<br>
};<br>
<br>
zone "<a href="http://development.example.company.com" target="_blank">development.example.company.<wbr>com</a>" IN {<br>
type forward;<br>
forward only;<br>
forwarders { ip address; };<br>
};<br>
<br>
<br>
<br>
--<br>
Sent from: <a href="http://bind-users-forum.2342410.n4.nabble.com/" target="_blank">
http://bind-users-forum.<wbr>2342410.n4.nabble.com/</a><br>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">
https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div></div>
</div>
<br>______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br></blockquote></div><br></div></div></div>