<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 14, 2019, at 6:56 PM, Paul Vixie <<a href="mailto:paul@redbarn.org" class="">paul@redbarn.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">So, effectively the authoritative server does some forwarding of queries<br class="">to a designated backend, but only specified zones, and it should<br class="">always act as an authoritative server, in the sense that it doesn't<br class="">require RD=1. I've spun my wheels a little bit and haven't found an<br class="">effective solution, so I'm looking to my friends in the DNS<br class="">Community. Any ideas?<br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">i think your backend should FORMERR on RD=1. note that it will have to be able to respond to SOA and NS queries at the apex.</span></div></div></blockquote><div><br class=""></div>The backend is not yet fully functional, but eventually, of course, it will do all that it needs to serve (pun intended) its purpose.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">straight-forward "zone { type forward; ... }" would almost work (in BIND9, though other servers implement the same feature with different syntax)</span></div></div></blockquote><div><br class=""></div><div>This was what I tried first, but recursion is disabled on my BIND server, so all my queries destined the "forwarded" zone are immediately returned by BIND as REFUSED.</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">except, you have to use TTL 0 to prevent caching, and, i'm not completely clear on what the real server will do with an RD=0 query in terms of forwarding.</span></div></div></blockquote><br class=""></div><div>Yep, RD=0 with forward seems to result in REFUSED.</div><div><br class=""></div><div>Thanks for the ideas.</div><div><br class=""></div><div>Casey</div></body></html>