<div dir="auto"><div dir="auto">Forwarding is inherently recursive rather than iterative. When you forward your server is basically asking the question as if it was client resolver and expects the server being forwarded to do all the work.</div><div dir="auto"><br></div><div dir="auto">You may look at testing making the forward to <a href="http://example.com">example.com</a> a stub zone or a static stub zone. Both would be iterative queries and should get the NS delegations back for <a href="http://sub.example.com">sub.example.com</a></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div data-smartmail="gmail_signature" dir="auto">-Ben Croswell</div><br><div class="gmail_quote gmail_quote_container" dir="auto"><div dir="ltr" class="gmail_attr">On Tue, Oct 7, 2025, 8:36 AM Carlos Peon Costa <<a href="mailto:carlospeon@gmail.com">carlospeon@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'd like to share this scenario:<br>
<br>
* Domain "<a href="http://example.org" rel="noreferrer noreferrer" target="_blank">example.org</a>" is hosted on name server 1.1.1.1<br>
* This domain has a subdomain "<a href="http://my.example.org" rel="noreferrer noreferrer" target="_blank">my.example.org</a>" delegated to 2.2.2.2<br>
through regular NS glue records<br>
* To allow my bind nameserver know "<a href="http://example.org" rel="noreferrer noreferrer" target="_blank">example.org</a>" domain I set a<br>
per-domain forwarding:<br>
zone "<a href="http://example.org" rel="noreferrer noreferrer" target="_blank">example.org</a>" { type forward; forwarders { 1.1.1.1; }; };<br>
<br>
I've found that if I query "<a href="http://my.example.org" rel="noreferrer noreferrer" target="_blank">my.example.org</a>" to my bind nameserver it<br>
forwards the query to the appropriate nameserver 1.1.1.1 *with* the RD<br>
flag, but if 1.1.1.1 has no connection with 2.2.2.2 the query will<br>
fail. The point is that if the RD flag were disabled 1.1.1.1 would<br>
reply with the authoritative nameserver 2.2.2.2 and bind could reach<br>
this one and solve the query.<br>
<br>
RD flag must be set for global forwarders but I'm wondering if it<br>
makes sense to add a configuration option to allow set/unset RD flag<br>
in per-domain forward configurations.<br>
<br>
Regards,<br>
Carlos.<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list.<br>
</blockquote></div></div>