why bind9 doesn't show A RR's cached with glue credibility even to +norec clients

[Ladislav Vobr]

I have some cases, when all nameservers for *single* domain are 
unreachable and bind9 is trying to reach all of them for every single 
request it receives, good thing to do will be bogusing these 
nameservers, but there is no way to find their ip address?

Although bind9 caches these ip addresses and flooding them heavily it 
refuses to reveal them to anybody. So it looks to me like current 
procedure to stop these kind of floods is.

1. Miraculously discover the flooded domain
(nobody knows it better than bind, but it is quite about it)

2. Miraculously discover the A record for each nameserver
(nobody else knows better than your own bind what are the cached 
addresses for this domain, but querying it for these A records will not 
help)

3. Bogus all these A records

Or better

1. Ignore it
(make sure your recursive-client queue is at least 20-30 thousand slots 
so you can handle it for limited period of time)

does anybody know other way?

ps. if you think dig will show it, then you have really never tried it, 
if you think bind knows what should be cached as *glue* or *answer* then 
you have never troubleshooted it, you need to be very lucky since 
different servers have different opinion about the same thing.

Ladislav