绑定 - 如何将 DNS 请求代理到另一台服务器（静态存根/转发类型无法按预期工作）

如何将 DNS 请求从 bind9 代理到 acme-dns？

这是我的 named/bind9 配置文件

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        dnssec-validation auto;
        listen-on-v6 { any; };

        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        recursion yes;
        allow-recursion { any;}; # had to change to allow bind9 to query 127.0.0.53 
        version "go away";
};

zone "xample.in" {
    type master;
    file "/usr/local/etc/bind/zones/db.xample.in";
};

zone "auth.example.com" {
  type static-stub;
  server-addresses { 127.0.0.3; };
  forward first;
  forwarders { 127.0.0.3; };
};

我设置acme-dns运行127.0.0.3:53。它回复 SOA、NS 和 TXT 记录。

在使用查询时dig TXT test.auth.example.com +trace，我发现-E(0)D可以使用dig TXT test.auth.example.com @127.0.0.1 +norecurse +noedns +dnssec

Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query: test.auth.example.com IN TXT -E(0)D (127.0.0.1)
Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query failed (REFUSED) for test.auth.example.com/IN/TXT at query.c:5499

版本：

BIND 9.16.16 (Stable Release)
OS: Linux ARM64(aarch64)

我尝试设置dnssec-validation no;，但没有效果

配置文件

https://github.com/joohoi/acme-dns/blob/master/config.cfg

[general]
listen = "127.0.0.1:53"
# domain name to serve the requests off of
domain = "auth.example.com"
# zone name server
nsname = "one.ns.example.com"
# admin email address, where @ is substituted with .
nsadmin = "admin.example.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server 
    "auth.example.com. A 198.51.100.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.com. NS one.ns.xample.in.",
]

区域文件

$TTL    3600
@       IN      SOA     one.ns.xample.in. webmaster.xample.in. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       86400   IN      NS      one.ns.xample.in.
@       86400   IN      NS      two.ns.xample.in.
@       IN      A       1.1.1.1
www     IN      A       1.1.1.1
_dmarc  IN      TXT     "v=DMARC1; p=reject;"
_acme-challenge IN  TXT __test_message__

问题：如何将 DNS 请求从 bind9 代理到 acme-dns？