This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective. But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries. (For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.) So you could either (a) provide an off-host resolver (presumably elsewhere in your cluster), or (b) run a separate on-host resolver and arrange for the two services to listen on different addresses (resolver on 127.0.0.1 & auth on "others"), or (c) run BIND in split-view mode. There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section). So the answer is "it depends". -Martin