<div dir="auto"><div dir="auto"><div>You absolutely can zone forward a child domain if you load the parent. You have to be sure that NS records for the child exist in the parent or the server will ignore the forward.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 23, 2025, 4:44 PM Fred Morris <<a href="mailto:m3047@m3047.net" target="_blank" rel="noreferrer">m3047@m3047.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I got around to trying this in my test lab. It's not possible to
forward a zone (subdomain) when BIND 9.18 is authoritative for a
higher-level domain.</p>
<p>Not expecting an answer / workaround. There is an easy workaround
if recursion is ok, and that is to publish the glue in the TLD
(you can see it there commented out); do that and you don't need
to forward. TLDR: forwarding accomplishes nothing. Don't chase
this squirrel.</p>
<p>The bigger issue is... the bigger issue. That would be to serve
forwarded zones as authoritative.<br>
</p>
<p>--</p>
<p>Fred Morris, internet plumber</p>
<p>--<br>
</p>
<div>On 9/8/25 7:42 AM, Michael Richardson
wrote:
</div>
<blockquote type="cite">
<pre>Does this work:
* turn off recursion on the "front" facing server.
* use forwarders to forward to an internally facing server that does
have recursion on. This can be an alias on lo. It could even be a view.
I'm not sure if will really work.... reads Bind9-doc..
"Forwarding can also be configured on a per-domain basis, allowing for the
global forwarding options to be overridden in a variety of
ways. Particular domains can be set to use different forwarders, or have a
different forward only/first behavior, or not forward at all; see zone."
I'm unclear if forwarding is allowed when not recursing.</pre>
</blockquote>
<p>Forwarding is not allowed unless recursion is allowed. A note in
<a href="https://kb.isc.org/docs/using-private-name-space" rel="noreferrer noreferrer" target="_blank">https://kb.isc.org/docs/using-private-name-space</a> confirms a
corrollary of this:</p>
<blockquote>
<p>Zone types forward, stub and static-stub do not make your
server authoritative for any zones so defined.</p>
</blockquote>
<p>But there's opaque business logic, we'll get to that. The
following tests were both conducted with "recursion yes" in
options.</p>
<p><b>Test 1: Private TLD Defined</b></p>
<p>Note that the "AA" flag is set in both responses (in spite of
"recursion yes").<br>
<b></b></p>
<pre>===m3047-captive.fwd===
$TTL 600
@ IN SOA FEDORA.SOPHIA.M3047. <a href="http://CONSULTING.M3047.NET" rel="noreferrer noreferrer" target="_blank">CONSULTING.M3047.NET</a>. (
1 ; serial
600 ; refresh 10 minutes
60 ; retry 1 minute
86400 ; expire 1 day
600 ; minimum TTL 10 minutes
)
NS FEDORA.SOPHIA.M3047.
TXT "This is a captive environment. Authorized use only."
FEDORA.SOPHIA A 192.168.123.5
;REDIS PTR REDIS.FLAME
; PTR REDIS.ATHENA
; PTR REDIS.SOPHIA
;REDIS.FLAME NS FLAME
;REDIS.ATHENA NS RKVDNS.ATHENA
;REDIS.SOPHIA NS SOPHIA
;FLAME A 10.0.0.253
;RKVDNS.ATHENA A 10.0.0.231
;SOPHIA A 10.0.0.224
===named.conf===
zone "m3047" {
type master;
file "m3047-captive.fwd";
};
zone "redis.athena.m3047" {
type forward;
forward only;
forwarders { 10.0.0.231; };
};
zone "redis.flame.m3047" {
type forward;
forward only;
forwarders { 10.0.0.253; };
};
zone "redis.sophia.m3047" {
type forward;
forward only;
forwarders { 10.0.0.224; };
};
===results===
m3047@sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
m3047. 600 IN SOA FEDORA.SOPHIA.M3047. <a href="http://CONSULTING.M3047.NET" rel="noreferrer noreferrer" target="_blank">CONSULTING.M3047.NET</a>. 1 600 60 86400 600
m3047@sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
</pre>
<p><b>Test 2: Private TLD not defined</b></p>
<p>Note that the "AA" flag is not set in responses.</p>
<pre>===named.conf===
//zone "m3047" {
// type master;
// file "m3047-captive.fwd";
//};
zone "redis.athena.m3047" {
type forward;
forward only;
forwarders { 10.0.0.231; };
};
zone "redis.flame.m3047" {
type forward;
forward only;
forwarders { 10.0.0.253; };
};
zone "redis.sophia.m3047" {
type forward;
forward only;
forwarders { 10.0.0.224; };
};
===results===
m3047@sophia:~> dig @fedora.sophia m3047 soa | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
m3047@sophia:~> dig @fedora.sophia health.get.redis.sophia.m3047 txt | grep -E -A1 '>HEADER<| ANSWER SECTION'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2223
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
--
;; ANSWER SECTION:
health.get.redis.sophia.m3047. 23 IN TXT "redis.sophia.m3047."
</pre>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list.<br>
</blockquote></div><div data-smartmail="gmail_signature">-Ben Croswell</div></div>