Hi Phil, Apologies if my approach was not clear, after Steve's mail. But I tested by using dig without the +trace option. I have tested the following from an IP, which is accepted via the trusted ACL:
dig @10.10.10.1 www.domain2.com A dig @10.10.10.1 domain2.com NS And directly from the internal DNS server 10.10.10.1: dig @127.0.0.1 www.domain2.com A dig @127.0.0.1 domain2.com NS Regards, Carol On Sun, Sep 08, 2013 at 11:54:34AM +0100, Phil Mayers wrote: > You're not understanding: > > +trace is done client-side, and from the top-down. It doesn't honour > any forwarders set server-side. It also doesn't replicate what a > real recursive client does, so it's not a good test. > > What happens if you test without +trace? Just do: > > dig @10.x.x.x www.domain2.com > > Ignore +trace - it's not useful in this situation. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users