Comment 16 for bug 1909950

For doc purposes, I've had an interesting time
debugging why the bind9 forwarding didn't work
to a host running dnsmasq/libvirt (DNS server).

After some tcpdump comparisons against a local
dig client that worked fine, it turns out that
dnssec-validation must be changed from 'auto'
to 'yes', and then bind9 forwarding worked OK!

bind forwarder / default (see percent symbol): FAIL / NotImp
---

$ sudo tcpdump -i vnet9 'port 53'
...
22:59:07.461914 IP 192.168.122.11.48475 > rotom.domain: 36180+% [1au] A? ubuntu.com. (51)
22:59:07.462424 IP rotom.domain > 192.168.122.11.48475: 36180 NotImp 0/0/1 (62)
...

local client (no percent symbol): PASS
---

$ sudo tcpdump -i lo 'port 53'
...
22:58:24.444288 IP rotom.47673 > rotom.domain: 30984+ [1au] A? ubuntu.com. (51)
22:58:24.444915 IP rotom.domain > rotom.47673: 30984 4/0/1 A 91.189.88.181, A 91.189.91.44, A 91.189.91.45, A 91.189.88.180 (103)
...

bind forwarder / dnssec-validation yes (NO percent symbol): PASS
---

$ sudo tcpdump -i vnet9 'port 53'
...
23:04:28.551700 IP 192.168.122.11.47530 > rotom.domain: 36699+ [1au] A? ubuntu.com. (51)
23:04:28.648898 IP rotom.domain > 192.168.122.11.47530: 36699 4/0/1 A 91.189.91.45, A 91.189.88.181, A 91.189.88.180, A 91.189.91.44 (126)
...

Reference: https://serverfault.com/questions/399911/tcpdump-dns-output-codes#400044