3.12.1 Problem
You want a BIND 9 slave name server to forward any dynamic updates it receives from addresses on the local networks for a zone to its master name server.
3.12.2 Solution
Use the allow-update-forwarding zone substatement. For example:
zone "foo.example" { type slave; masters { 192.168.0.1; }; file "bak.foo.example"; allow-update-forwarding { localnets; }; };
The slave name server forwards any dynamic updates it receives to the foo.example zone to its master name server, at 192.168.0.1.
3.12.3 Discussion
For the most part, if you make sure that your zone's SOA record contains the domain name of the primary master name server in the MNAME field, you won't need to worry about update forwarding. Most updaters will automatically find your primary master and send their updates there. But if you use a hidden primary master or have ill-behaved clients, you may need this.
Forwarding updates, however, makes IP address-based authorization using allow-update even more dangerous than usual, because forwarded updates have the slave name server's source address. If you use update forwarding, you should use TSIG-signed dynamic updates, too. It doesn't matter if a slave forwards a signed update: it still bears the signature.
3.12.4 See Also
Section 3.11 for permitting dynamic updates; Recipes Section 5.20, Section 5.21, and Section 5.23 for sending dynamic updates -- particularly TSIG-signed updates -- using nsupdate; Recipes Section 9.10 and Section 9.11 for sending updates programmatically; and "TSIG-Signed Updates" in Chapter 10 of DNS and BIND.
Getting Started
Zone Data
BIND Name Server Configuration
Electronic Mail
BIND Name Server Operations
Delegation and Registration
Security
Interoperability and Upgrading
Resolvers and Programming
Logging and Troubleshooting
IPv6