Found a thread on petri via google; 43834 (won’t let me post a link so here is the thread number).
I am doing the same thing and I want to ensure I am doing the right thing security wise… I can enumerate the domain that they will be on but I am not using the same domain for anything else, the domain that the public DNS servers will be on is only for the public DNS servers and is not internet registerable.
The DNS will have recursion disabled, and only have UDP53 open to them.
This will make all the DNS servers basically primaries and allow a change made at one to replicate to the others. Also would work for anycast, anyone see any downsides?