Bind forwarding zone proxy zone How

Hi,

I've the following problem:

I have a machine IP x.x.x.x with bind 9.3 which is authoritative master for a number of domains. There is a private network behind x.x.x.x using 10.1.1.0-24

Now I want to delegate a globally visible subdomain "sub.domain.com" to another machine on the private network, e.g. 10.1.1.1 - more specifically I want that all queries for sub.domain.com are being answered by bind on 10.1.1.1 (and I would even like to use a port different than 53 there, e.g. 5353)

It is clear that I can not do in the global DNS for domain.com a delegation like "sub IN NS 10.1.1.1", thus I tried the following:

global delegation in domain.com:

"sub IN NS x.x.x.x"

added in the config of BIND on x.x.x.x:

zone "sub.domain.com" in { type forward; forward only; forwarders { 10.1.1.1 port 5353 ; }; };

But: THIS DOES NOT WORK :-(

More precisely:

- if I type (from any outside IP on the internet, or from local IP or x.x.x.x):

"host test.sub.domain.com x.x.x.x"

it works as intended - the bind on x.x.x.x gets the query and generates a query to 10.1.1.1 on port 5353!

- but if I type (from any outside IP on the internet) that is use the available local DNS server to resolve it:

"host test.sub.domain.com"

I see that the query (from IP's local DNS resolver) arrives at x.x.x.x (tcpdump) but bind on x.x.x.x IMMEDIATELY responds with ServFail WITHOUT even generating a query to 10.1.1.1 !!!!!

I really don't understand why is this? I tried even to open all ACLs etc - did not help! Seems really that it works only if x.x.x.x is asked directly by a client but does not work if the client asks through its local DNS server?

Can anyone explain that - and how to do it right?