HOTSPOT
Your network contains three Active Directory forests. The forests are configured as shown in
the following table.
A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way
forest trust also exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to
division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain
controllers in the appropriate forest after the trust is created.
How should you configure the existing forest trust settings?
In the table below, identify which configuration must be performed in each forest. Make only
one selection in each column. Each correct selection is worth one point.
Answer: 
Explanation:
There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2.
Add division1.contoso.com as a name suffix routing entry = Division2.contoso.com
Add division2.contoso.com as an exclusion to the name suffix routing entry of contoso.com = Division1.contoso.com
I Agree
Am unsure why you think this is the answer.
The forest containing the accounts is division2. Why wouldn’t we route authentication from div1 to div 2?
IE.
Add division2.contoso.com as a name suffix routing entry = Division1.contoso.com
no need to add name suffix rounting entries on both sides. They are created automatically when the trust is established.
It has to be:
a)Add div2 exclusion on div 1
b)Add div1 exclusion on div 2.
1: According to MS the initial routing entries are done on both incoming and outgoing trust when the trust is established.
2. Even if the route was not set on div2’s outgoing trust, you can’t set it. Doing so would mean two answers in that column, because b) has to be an answer to avoid a conflict between *.contoso.com and *.div1.contoso.com in div2’s routing table.
3.Forest trusts do not seem to be transitive over several trusts, meaning that if you don’t do a), requests by div1 to div2 would not be denied due to lack of trust in that direction, but be send to *.contoso.com which wouldn’t know what to do with it.
I believe “You need to ensure that any cross-forest authentication requests are sent to the domain
controllers in the appropriate forest after the trust is created.” means that div1 should have the proper routing, so requests get properly denied due to lack of trust, rather than be routed to a forest which doesn’t understand the request.
unless MS is lying here: https://technet.microsoft.com/en-us/library/cc784334%28v=ws.10%29.aspx
“To simplify administration of authentication requests, when a forest trust is initially created, all unique name suffixes are routed by default.”