* Simon Waters:
This is _nothing_ to do with what you're running on the recursive nameserver. It is doing _exactly_ what it is supposed to do. Get answers, store in cache, respond to queries from cache if TTL isn't expired.
The answers from a recursive servers won't be marked authoritative (AA bit not set), and so correct behaviour is to discard (BIND will log a lame server message as well by default) these records.
Unfortunately, this is not quite true. Brad and Chris are right. I couldn't believe it either, but after a long stare at BIND's is_lame function, I have to agree with them. BIND accepts non-authoritative answers if their additional section looks a bit like a referral. I don't tink that this check is deliberately lax, but stricter checks are simply harder to do on this particular code path.
If your recursive resolver doesn't discard these records, suggest you get one that works ;)
Which one would? Keep in mind that referrals do not have the AA bit set, so a simple filter wouldn't work.