[Pdns-users] forward zone VS rpz with recursor?
Brian Candler
b.candler at pobox.com
Thu Feb 12 08:08:27 UTC 2026
On 12/02/2026 06:19, listy via Pdns-users wrote:
> Seems that in my 'traditional' forward zones config file I was missing
> the '+'
>
> +forwarded.zone=9.9.9.9,8.8.4.4
>
> then yes, public recursors work - otherwise NS for those domains are
> needed (as a side-note to beginner like myself)
The issue is that you need to set the "Recursion Desired" (RD) bit on
requests which are going to recursive servers. It must not be set on
requests which are sent to authoritative servers.
It's not really a case of NS records being required. An authoritative
server will typically have NS records pointing at it (so that it can be
found), but it's not necessary to function. You could, for example, set
up a standalone authoritative server for a hidden zone, and forward
requests to it from the recursor.
If the zone above is DNSSEC signed, but the hidden zone is not, that's
when a Negative Trust Anchor (NTA)
<https://doc.powerdns.com/recursor/lua-config/dnssec.html> is also required.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260212/c4dfd4d5/attachment.htm>
More information about the Pdns-users
mailing list