Are you loading the parent domain and trying to zone forward a child domain on the same DNS server? I.e. loading somedomain.local and trying to forward ab.somedomain.local
If so an NS delegation is required in every instance I have done in my environment. The NS doesn't need to be "right" but it needs to exist. I don't know the internal BIND logic for that but I have always taken it as "I load the parent and I know the child doesn't exist because there isn't a delegation to make it exist so why would I forward something that doesn't exist". On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop <gr...@sloop.net> wrote: > Static-sub fixes the issue. > > > > Any idea why static-sub works when forwarder doesn't? > > > > (Again, the server is using recursion. Dig queries return the RA flag, so > I know it's actually offering recursion in reality.) > > > > I can live with static-sub just fine, since it works - but I'd really love > to understand why forwarder didn't - just so I can avoid getting bitten by > it in some other situation. > > > > Thanks Andrej! > > -Greg > > > > > Is static-stub something you are looking for? > > > Reference documentation: > > https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types > > > And in human terms: > https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/ > > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > > On 28. 2. 2022, at 21:47, Gregory Sloop <gr...@sloop.net> wrote: > > So, I want to forward all queries for > *.ab.somedomain.local to some other internal DNS servers. > (Records in *.ab.somedomain.local actually are our active domain servers) > > (Yes, I know .local is reserved now, but we've been using it a long time > and changing would be rather painful. Unless there's some horrible > consequences, I think we'll just continue for now. We won't ever use mDNS.) > > zone "ab.somedomain.local" { > type forward; > forward only; > forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; }; > }; > > But this doesn't appear to do what I want. > > If I add the above to my regular BIND servers configuration, it doesn't > return results like it's forwarding them. (I get NXDOMAIN for > abc.ab.somedomain.local.) > > If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I > get a proper result. (force dig to use the AD name servers directly, > instead of relying on the forward.) > > (And yes the resolv.conf file has the ip addresses of the main internal > BIND servers in it, and those only.) > I've looked and while I think I'm doing it right, I'm not entirely sure. > I figured before I beat my head against the wall for too long, I'd ask the > real experts! :) > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users