Problema de forwarding en bind9

Estaba tratando de configurar el forwarding en el servidor bind9 de la subred de los ciclos para que reenviara peticiones a los servidores DNS de la red del centro, y a pesar de que la configuración es sencilla, no funcionaba:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        recursion yes;
        forwarders { 172.19.144.3; 172.19.144.2; };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation yes;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Buscando un poco, he encontrado que si dejamos dnssec-validation auto, bind9 no realiza las peticiones a los servidores que le hayamos indicado, pero sí funciona cuando el valor es yes o no. Un bug??

Publicado por primera vez en http://enavas.blogspot.com.es