Can we provide recursion for forward zones in response to iterative queries?

[bind-lists at iano.org]

I had been told they tried that twice and in both cases the domain controller would not let them add the conditional forwarder. On the strength of your having said it worked in your situation, they tried again and now it is working.

Thank you!
Maria

> On Apr 6, 2020, at 11:37 AM, Chris Buxton <clists at buxtonfamily.us> wrote:
> 
> On Apr 3, 2020, at 9:06 AM, bind-lists at iano.org wrote:
>> Because the AD domain controllers already own 10.in-addr.arpa, they refuse to allow us to configure conditional forwarding for its subdomains. So we delegated the subdomains to the inbound endpoints. Because they are delegations, the domain controllers set the recursion desired flag to 0 on the queries they send to the endpoints, and we are not getting replies from the endpoints.
>> 
>> As a workaround we tried delegating to our linux bind caching resolvers but we ran into the same issue, that the domain controllers set recursion desired to 0. As a result, when our linux caching servers have the result in cache, the lookup is successful, but when it would require a fresh lookup it gets a reply with no answers. Hence my question, is there a way to tell our bind caching resolvers to ignore the recursion desired flag and provide recursion anyway?
> 
> I've solved this before. You've tried two solutions, and neither worked alone. You need to do both.
> 
> - Delegate the subzones in question to the forwarders (or anywhere, really).
> - Add conditional forwarding for the subzones also, pointing to the forwarders.
> 
> Without the delegation, the conditional forwarding won't work -- the MS DNS servers will respond authoritatively. But without the conditional forwarding, the MS DNS servers will send iterative queries, not recursive queries.
> 
> Regards,
> Chris Buxton