Use allow-query on primary servers?

[Martin Horneffer]

Is it advisable to use allow-query to limit queries to one's primary
zones, as in CIAC J-063. I.e. something like:

acl "trusted" {
...
};

options {
...
       allow-query { trusted; };
};

zone "example.com" {
        type master;
        file "example.com";
        allow-query { any; };
};

If doing this, clients that are not in "trusted" appear to get strange
errors when resolving non-existing names within "example.com".

-- 
Martin Horneffer -- Horneffer at rrz.uni-koeln.de