Maybe I am missing something, but the caching DNS server will do recursion, and must be configured specially for "internal": - forwarding to particular authoritative servers, or - have a local copy of the 'internal' zone. Otherwise it will send the queries to the root and get an NXDOMAIN answer.
If they have local copies, then there is no need for 'internal' to be on an authoritative server. So the 'resolvers' must have the internal zone configured. Whether that counts as 'special' is debatable, but I think it needs to be spelled out. And for DNSSEC, does it need a trust anchor on each resolver, or is there another way? -- Bob Harold
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
