BIND & forwarding zone / proxy - HOW???

[kurczaq]

Hi,

I've the following problem:

I have a machine on IP x.x.x.x with bind 9.3 which is authoritative
master for a number of domains.  There is a private network behind
x.x.x.x using 10.1.1.0/24

Now I want to delegate a globally visible subdomain "sub.domain.com" to
another machine on the private network, e.g. 10.1.1.1 - more
specifically I want that all queries for sub.domain.com are being
answered by bind on 10.1.1.1 (and I would even like to use a port
different than 53 there, e.g. 5353)

It is clear that I can not do in the global DNS for domain.com a
delegation like:

"sub IN NS 10.1.1.1"

thus I tried the following:

global delegation in domain.com:

"sub IN NS x.x.x.x"

added in the config of BIND on x.x.x.x:

zone "sub.domain.com" in {
        type forward;
        forward only;
        forwarders { 10.1.1.1 port 5353 ; };
};

But: THIS DOES NOT WORK :-(

More precisely:

- if I type (from any outside IP on the internet, or from local IP or
x.x.x.x):

"host test.sub.domain.com x.x.x.x"

it works as intended - the bind on x.x.x.x gets the query and generates
a query to 10.1.1.1 on port 5353!

- but if I type (from any outside IP on the internet) that is use the
available local DNS server to resolve it:

"host test.sub.domain.com"

I see that the query (from IP's local DNS resolver) arrives at x.x.x.x
(tcpdump) but bind on x.x.x.x IMMEDIATELY responds with ServFail
WITHOUT even generating a query to 10.1.1.1 !!!!!

I really don't understand why is this? I tried even to open all ACLs
etc - did not help! Seems really that it works only if bind on x.x.x.x
is asked directly by a client but does not work if the client asks
through its local DNS server?

Can anyone explain that - and how to do it right?

:-(