bind: forwarding zone does not work when allow-recursive not allowed

I have the following setup: - DNS-Server reachable from the internet, is authoritative for zone foo.com - DNS-Server reachable only locally, should be authoritative for zone test.lab.foo.com What I try to achieve: When a DNS query from the outside world reaches the first DNS server for a record belonging to the zone test.lab.foo.com, I want it to make a recursive request to the second DNS server and then forward the records. I explicitly don't want to do zone transfers or make the second DNS server reachable from the internet. my configuration looks like this: (I only copied the [what I think] important parts to here) On the first DNS-Server

options {
    allow-recursion {
        localnets;
        localhost;
        internal;
        my-datacenter;
        mc-office;
    };
};

zone "test.lab.foo.com" {
        forward only;
        forwarders {
            ;
        };
        type forward;
    };

   zone "foo.com" {
        file "/etc/bind/zones/foo.com.zone";
        type master;
    };

My issue: When I am in a local network, that is whitelisted in the allow-recursion block, then it works as expected. When I try the DNS lookup from the internet, then i get a NOERROR with an empty response back. During debugging, I adjusted the allow-recursion list and added any to it. Then it was working. But I don't want my DNS server to allow any kind of recursion. I actually only want "outside" lookups for this one specific zones to be recursive. How can I set allow-recursion for just one zone?