Delete your "bar.com" zone from your W2K3 DNS server. Create a zone "gum.bar.com", and create a blank host record in that zone pointing to the LAN IP of the local server. Problem solved. >smile<
The W2K3 DNS server can't be simultaneously authoritative for a domain while forwarding queries that it can't resolve to another DNS server. It's just a limitation of the product. Working around it, per the above, is how we've always handled it.
Never you mind the comments section below, and never you mind the previous answers in the edit history. After about an hour of some conversation with friends (thank you @joeQwerty, @Iain, and @JourneymanGeek), and some jovial hacking around we got to the bottom of both your question and the situation on the whole. Sorry for brusqueness and misunderstanding the situation completely at first.
Let's step through the process:
- You buy
wesleyisaderp.com at, let's say, NameCheap.com.
- Namecheap as your registrar will be where you populate your NS records. Let's say you actually want to host the DNS zone on Digital Ocean.
- You point your shiny new domain's NS records to
ns1.digitalocean.com and ns2.digitalocean.com.
- However, let's say I was able to determine that you had registered that domain, and furthermore that you had changed your NS records to Digital Ocean's. Then I beat you to a Digital Ocean account and added the zone wesleyisaderp.com to my own.
- You try to add the zone in *your* account but Digital Ocean says that the zone already exists in their system! Oh noes!
- I CNAME
wesleyisaderp.com to wesleyisbetterthanyou.com.
- Hilarity ensues.
Some friends and I just played this exact scenario out, and yes it works. If @JoeQwerty buys a domain and points it to the Digital Ocean nameservers, but I already had that zone added to my account, then I am the zone master and can do with it what I want.
However consider that someone would have to first add the zone to their DNS account, and then you'd have to point your NS records to the name servers of that same host for anything nefarious to happen. Furthermore, as the domain owner, you can switch NS records any time you want and move the resolution away from the bad zone host.
The likelihood of this happening is a bit low to say the least. It is said that, statistically, you can shuffle a deck of 52 playing cards and get an ordering that no other human has ever gotten, and no other human ever will. I think the same reasoning exists here. The likelihood of someone exploiting this is so very low, and there are better shortcuts in existence, that it probably won't happen in the wild by accident.
Furthermore, if you own a domain at a registrar and it someone happens to have made a zone on a provider like Digital Ocean that you collide with, I'm sure if you provide proof of ownership, they'd ask the person who made the zone in their account to remove it since there's no reason for it to exist as they're not the domain name owner.
But what about A records
The first person to have a zone on, for instance Digital Ocean, will be the one that controls it. You cannot have multiple identical zones on the same DNS infrastructure. So for example, using the silly names above, if I have wesleyisaderp.com as a zone on Digital Ocean, no one else on Digital Ocean's DNS infrastructure can add it to their account.
Here's the fun part: I actually really have added wesleyisaderp.com to my Digital Ocean account! Go ahead and try to add it into yours. It won't hurt anything.
So as a result, you can't add an A record to wesleyisaderp.com. It's all mine.
But what about...
As @Iain pointed out below, my point #4 above is actually too verbose. I don't have to wait or plot or scheme at all. I can just make thousands of zones in an account and then sit back and wait. Technically. If I make thousands of domains, and then wait for them to get registered, and then hope they use the DNS hosts that I've set my zones on... maybe I can do something kinda bad? Maybe? But probably not?
Apologies to Digital Ocean & NameCheap
Note that Digital Ocean and NameCheap are not unique, and have nothing to do with this scenario. This is normal behavior. They are blameless on all fronts. I just used them since that was the example given, and they're very well known brands.
Best Answer
Not sure about bind, but windows DNS goes up down (example.com is evaluated first) and as the zone does not redelegate test.example.com - that is the end (i.e. test.example.com never gets asked).