Master for domain as set in SOA is not visible to world

[lhcash at us.ibm.com]

Hi, I'm asking about something I'm pretty sure will *work*, but I'm not
sure how good an idea it is.  I have a domain (call it blah.org).  I want
to make the master for this domain a system which is the master for some
internal (not visible to the world) domains.  The only systems visible to
the world (and the ones which will, therefore, be listed in the NS records,
etc.) are slaves.  This system is, of course, behind a firewall and not
reachable...and I really don't want anyone outside our group to even know
this system exists, for obvious reasons.  The alternative is either (1) to
move the master to one of the external systems, thereby increasing
administrative overhead tremendously (lots of domains, lots of nameservers
in our setup) and putting the master in our DMZ (where I don't want it), or
(2) to make the server listed in the SOA record something other than the
real master, which means the master will, of course, not see itself as
authoritative.

I am wondering especially about the second alternative - I am assuming (I
haven't tried it yet, though) that the external secondaries/slaves will
still return authoritative answers, as long as they are listed in the NS
records for the domain - and since these are the only servers queryable by
the world at large, this should suffice.  Is my reasoning sound, and are
there any sticky issues I'm missing here?

-Sandy

--
Sandy Cash
Systems Administrator, Unix Geek
lhcash at us.ibm.com
(919) 254-6482 t/l 444