Strange Behavior

[Lawrence MacIntyre]

Hi:

I have a name server running named on a closed network.  The root 
servers name my node and another node (running DNS on a sidewinder 
firewall) as authoritative for our domain as well as several 
subdomains.  Two of the subdomains have their own servers, and we 
configured our (allegedly authoritative) servers as slaves to the 
subdomain servers.  This worked well for several years.  Now, these 
subdomains have decided (for "security" reasons) that they are going to 
disallow zone transfers to us.  So we set our servers to forward 
requests to the subdomain nameservers.  The sidewinder does this, but 
our server doesn't.  It simply reports that it has no information about 
any node in the subdomain.  Remote users report that when they use dig 
+trace @ourserver node.in.subdomain, they see referrals to the Internet 
root servers.  Our hints file has the correct root servers, and we don't 
even have a file listing the Internet root servers.  I cannot verify 
their claims, as it doesn't do that when queried from our site, and I 
have no access to an account on any remote site.

What does named do when it is listed as authoritative for a domain by 
the root servers, but is configured to forward requests for addresses in 
that domain?   Does anyone know how the remote users could see referrals 
to the Internet root servers even though we have the correct root 
servers set in our nameserver?

Thanks,

Lawrence