bind as "reverse-proxy"

Wed Feb 26 14:28:13 UTC 2020

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

is it possible to set up a zone in bind similar to a http(s) reverse 
proxy:

1. The server appears authoritative to clients (the consulted server is 
indeed authoritative).

2. Each request is passed on to the other server (or served from cache), 
but the information is *not* obtained by zone transfers (because the other 
server does not have/allow this).

So far, I had used a forward zone (to assure condition 2), but it violates 
condition 1:

directly queried:
# dig @127.0.0.1 -p 5353 ns.i.eckner.net

; <<>> DiG 9.16.0 <<>> @127.0.0.1 -p 5353 ns.i.eckner.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61359
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns.i.eckner.net.		IN	A

;; ANSWER SECTION:
ns.i.eckner.net.	3600	IN	A	193.30.121.109

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Feb 26 15:09:45 CET 2020
;; MSG SIZE  rcvd: 49

querying the "reverse-proxy":
# dig @127.0.0.1 -p 53 ns.i.eckner.net

; <<>> DiG 9.16.0 <<>> @127.0.0.1 -p 53 ns.i.eckner.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: de8d1f39eca01509010000005e567c38203e4e1025c43f9d (good)
;; QUESTION SECTION:
;ns.i.eckner.net.		IN	A

;; ANSWER SECTION:
ns.i.eckner.net.	3600	IN	A	193.30.121.109

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 26 15:10:00 CET 2020
;; MSG SIZE  rcvd: 88

This is the relevant part of my config (so far):

zone "i.eckner.net" IN {
     type forward;
     forwarders {
         127.0.0.1 port 5353;
     };
     forward only;
};

Is it possible to fake/force the authoritative-bit in the answer for 
queries below "i.eckner.net"?

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl5WgIEACgkQCu7JB1Xa
e1oOlg/+Or2ffpo0YM3po5zv3VZK0q+AAOBqG5MKVvsnJPhoyfZmwmAd0B3ri3j3
105cJP0Y2sKLEWmHgUms28yws7VyTljFik8hJfncOlb3PUS4LTJeI00YjqWTgvKN
i7WgaD/l+DnJD1Hp8PRa1ddHoDqDDqVs2mZcTzr5pVmx1xb9kgsvzu6N+qph+Joj
4zhVZc3hhyTA9RpMcQbX2+uHY67j+p3q4rwHCZkCCs6JF5Y1S/BZSyne+OEOjUUz
giZNHl5Bjld6mAwUNneVFBF6VmbrTAt1W0IKpNwlDcSTX58wDEWZLY4vR1DNDFh3
BTWLqM0rM4yc9VRHdf2gkKCMFKcOtKne0/T+Pi9j2QSBRKrnvg2wwHfCfT4+0zb0
YTiiJV2gsaChXiIf7CIpNa7Uvx0bngOt8xgsY3CrRVyEY6KqnFCSXtcAIQtuoTv4
JMJoBeZLOkWM21AE5W4v4u5xJ4e88ji5T6t+s2G7lHgpjpxdl8fLMdqEGv7JThTR
vd0mlWHztl/0XfjAtEG0uCWCzYkX2F5n/PVAj+a+IiKNB70h7gFyQ9Cz/Z2tUjwG
B+2Gx4W4tev6oTej9ELyMY/6UOlxgw2yh7kKW5/BR9nYTwDgySmXzDb9uOf3N5/i
6EgceIWHDzPd6Z2PnIeCEcmR3IYIXIJSbbT6wKzv0+BGuN1dUF8=
=A0Mn
-----END PGP SIGNATURE-----