Partial zone authority

[greg.chavez at gmail.com]

I work at the DNS and SMTP gateways of a large organization.  We have a
horribly considered spilt horizon setup, with internal and external DNS
servers holding seperate authority for our domain, banana.gov.   When
we change the A record for www.banana.gov, I have to make changes to
both the internal and external master.  Bad policy rules; reform is
difficult.

In any case, when people - lazy people, usually, with suspect technical
backgrounds - want a funny configuration to work, invariably I am
called upon. DNS, they feel, will fix all.  On this one demand,
however, I want to make a stand:

We have just opened up a private T1 line to a sister organization with
a different domain, lemon.gov.  I have been asked to set up a copy of
their domain on our internal name servers to resolve one A record -
cas.lemon.gov - to an IP which will be accessed over the T1.  Never
mind why, they just want it done.  The Internet name servers for
lemon.gov do not serve this record - it is entirely internal.  So I
have been asked to either replicate the lemon.gov domain internally ,
pretend to be authoritative for it, and add the A record for "cas"; or
find a way to serve a record for "cas" and forward all other queries to
the Internet.

It seems to be that the latter is not possible.  You can't be partially
authoritative, can you?  I poured over the O'Reilly book and seemed to
confirm that.  And the former idea is just plain nuts.  The lemon.gov
domain is an important domain and has many hosts and subdomains.
Maintaining a separate copy would be extremely problematic.  Breakage
would be easy.

The solution, it seems to me, is forward all lemon.gov queries to an
authoritative name server accessible via the T1.  If no such name
server is accessible that way, the burden should shift to the lemon.gov
people.  No?  Am I missing something?  I am having a hard time selling
my opinions to the overseers.

Thanks
--Greg Chavez