Consider parent-centric delegations
This is an umbrella issue to discuss the parent vs child-centric delegations.
Child-centric NS
The child-centric NS way lets the child NS records override the delegation NS, but the parent NS has to be used at least once. This works fine as long as the parent and child NS records are in sync. When they are not in sync (both inter and intra), the used delegation NS can vary between runs based on what's in the cache.
Parent-centric NS
The parent-centric NS way always uses the parent NS records for delegations, but requires a separate "delegation" database that's distinct from the resource-record cache. The parent-centric NS doesn't suffer from the problems that could happen when the child-NS and parent-NS are out of sync - there's only one "authority" for the delegation NS (parent).
This approach is not without problems - because of the way DNS is (under-)specified, the child-centric NS has been used for a long time, and changing the BIND 9 to use parent NS will break some users' expectations. Fortunately for us, this path has been already paved by (at least) Nominum Vantio and Google Public DNS (and apparently the world didn't collapse).
To be considered
-
DS vs apex-CNAME -
parent vs child NSEC RRsets -
glue records from the parent pointing into the child zone -
Debug/query options
(add more as stuff comes up in the discussion)