Hello Katie,
and reject
domain: test.net nserver: ns2.example.com 168.0.0.1
Hope it is clearer now; any suggestions about better and clearer phrasing are appreciated.
That's fine, the owner name of the glue A/AAAA RR may be at any level greater or equal than the zone to be delegated. But ...
The only new glue-related checks will be: 1) Making sure all glue IPs listed in domain object are also listed in the zone at every nameserver
... this test might fail in otherwise correct configurations. Unless explicitly excluded, a glue RR may belong to a zone _below_ the delegated one, so the servers of the delegated zone cannot be expected to authoritatively know the A/AAAA RR(s). I'd not believe this is common in e164.arpa, but than I'd also have thought there's no need for glue in that domain in the first place ...
2) Glue name must be within the same domain (already listed above)
Yep. And the check should include the presence of mandatory glue RRs. With a miced v4/v6 environment, would a name server with v6 only glue be accepted (v4 only obviously is)? How many glue RRs would be allowed per name server entry? -Peter