external dns servers don't authoritatively serve the delegated domain well

[davepacheco]

The external DNS servers do not:

• serve an SOA record at $delegated_domain
• serve NS records for $delegated_domain
• serve A records for the NS records for $delegated_domain
• set the "authoritative" flag on responses

I am not sure if we should also be serving some combination of SOA, NS, and A records for sys.$delegated_domain and $silo.sys.$delegated_domain.

At the very least, this has (understandably) confused customers and hindered debugging (because it seems that dig +trace couldn't follow the chain to the silo-specific domain -- I have not tested this). Several customers have reported no problems with external DNS so it seems this doesn't necessarily break things.

[twinfees]

More details below (from a customer):

1. On returning an SOA record, the main fields below (at a minimum) need to be set correctly:

• SERIAL (needs to be correct in order for zone transfers to work).
• If DNS NOTIFY is not provided, TTL and REFRESH values need to be set appropriately to ensure regular zone transfers on the secondaries (for a workaround).
• MINIMUM (60 second or less).
• RNAME (email addr of the admin responsibile for the zone).

2. On returning an NS record:

• Allow zone transfers with DNS NOTIFY (uses a list of IP address - secondaries - that are immediately notified if the zone has changed, allowing the secondaries to update their copy of the zone.

3. Return "aa" bit on answers. While this can be worked around, setting this helps the DNS admin know that it's authoritative for the zone (e.g. this is not a recursively resolved or cache record being returned). Would help further with DNS troubleshooting in general.

4. Honor the DNS TYPE (SOA, NS, A, AAAA, ...).