#2108 [RFE] support bind forward zones, aka DNS conditional forwarding
Closed: Fixed None Opened 8 years ago by rcritten.


IPA should support BIND forward zones, conditional forwarding based on the
domain suffix of the name trying to be resolved, in addition to the global
forwarders that it already supports

For example, all records that end with
someDomain.example.com forwarded to

It would be nice to be able to prioritize forwarding.  Global forwarders and
conditional forwarders could be ranked in a list box like

someDomain.example.com -> (conditional Forwarder)
* -> (Global Forwarder)

from BIND manual:
A "forward zone" is a way to configure forwarding on a per-domain basis. A zone
statement of type forward can contain a forward and/or forwarders statement,
which will apply to queries within the domain given by the zone name. If no
forwarders statement is present or an empty list for forwarders is given, then
no forwarding will be done for the domain, canceling the effects of any
forwarders in the options statement. Thus if you want to use this type of zone
to change the behavior of the global forward option (that is, "forward first
to", then "forward only", or vice versa, but want to use the same servers as
set globally) you need to respecify the global forwarders.

May need to file bug against bind-dyndb-ldap to add support.

Eventually this ticket will go to 3.1 backlog after pre-work is done.

Moving to the proper milestone where the blocking ticket is planned.

How to test:

  1. Install the first FreeIPA server with DNS support that will serve as a resolver for zone example.com
  2. Install a second FreeIPA server with DNS support that will serve as a second resolver for zone example2.com
  3. Back on the first FreeIPA server add a domain example.com that will be forwarded to the second server:

    $ ipa dnszone-add example.com --name-server=hostname

  4. Instruct bind-dyndb-ldap to forward all requests to example.com to the DNS server managed by second FreeIPA (example assumes that it's address is

    $ ipa dnszone-mod example.com --forwarder=

  5. Now test that requests issued to the first FreeIPA server for zones other than example.com ($SOMEZONE) are resolved by this server (or one of its global forwarders):

    dig -t soa $SOMEZONE

You can also see all DNS packets sent by the first FreeIPA server to make sure that no request is sent to the second FreeIPA server (

tcpdump -ni eth0 udp port 53
  1. Now you can check that the zone example.com is really forwarded to and resolved by the second FreeIPA server:

    dig -t soa example.com

You can also set --forward-policy and use tcpdump to check that when its set to first or no value it forwards the request to both second FreeIPA server and configured global forwardwers and that when its set to only it forwards the request only to the second FreeIPA server.

I filed a relevant bug (conditional forwarding does not work when the forwarded zone is a sub-zone of other managed zone):


Moving to next month iteration.

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02

2 years ago

Login to comment on this ticket.