WS> If all your internal DNS servers are forwarding to the internal
WS> root or have their root-hints pointing to the Internal root,
WS> then how are you configuring the forwarders for external rez?

HM> This really isn't that hard, if all your INTERNAL Servers are
HM> set to use the Internal Namespace by pointing at internal root
Hm> servers this requires that they use forwarders to check ANOTHER
HM> NameSpace (e.g., The Internet.)

If all of one's internal proxy DNS servers are configured with root hints
pointing at an internal "." content DNS server, they'll get _all_ of their
answers, both positive and negative, from that server and the content DNS
servers that it delegates to. There is no "checking another namespace" that
goes on.

If one's internal proxy DNS servers are also configured to forward an external
(resolving) proxy DNS server, they'll get _all_ of their answers, both
positive and negative, from that server; unless it fails, in which case they
will fall back to query resolution and once again get all of their answers,
both positive and negative, from the internal "." content DNS server and the
servers that it delegates to. Again, there is no "checking another namespace"
that goes on.

Of course, in the latter case one's internal proxy DNS servers are recursing
to two different (sets of) DNS servers that provide two different views of the
DNS database, depending from whether the forwarding fails (not results in a
negative answer, note, but _fails_) for any given query. This is a recipe for
utter disaster.

HM> Thus, rule #1 which you guys have gone on so much about:
HM> You need a forwarder if you want to check two distinct
HM> namespaces, e.g., a private namespace and The Internet.

"Rule #1" is predicated on the existence of a single entity somehow seeing and
"checking" multiple namespaces. But this isn't the way that DNS works, and
doesn't happen. Each entity only ever sees _one_ namespace. The only place
where the notion of multiple namespaces makes reasonable sense is in "split
horizon" DNS service, where different entities see different namespaces, but
having (conditional) forwarding is but one way of achieving "split horizon"
DNS service. There are at least two others that do not require forwarding,
both of which are better.