forwarding to a child zone is different!!

[Jim Reid]

>>>>> "Brad" == Brad Knowles <brad.knowles at skynet.be> writes:

    Brad> 	I can agree that in certain very limited circumstances
    Brad> (such as when you have internal nameservers that are behind
    Brad> one or more firewalls and have no possible way of accessing
    Brad> the outside world and vice-versa) that it *MAY* be an
    Brad> acceptable risk to mix authoritative services with
    Brad> recursive/caching services on the same machine.

In fact if this is done correctly, it's a Good Thing. There's first a
separation between the authoritative servers and those acting as
resolver servers. [The first set get queried by other name servers and
are non-recursive. The others get queried by resolvers and process
recursive queries.] If the resolver servers are made authoritative for
all the internal zones, their caches cannot be poisoned for the local
name space. The can of course still be corrupted for anything else
they pick up while resolving, for instance domain names from other
networks: business partners and/or the Internet.