You can also run NSD as an authoratative frontend to your BIND servers, and unbound as a caching resolver with forward-zone entries to your BIND server for your domains.
This is what I do, which allows me the full gamut of BIND features without exposing those servers directly to any networks (there is a non-routed vlan that nsd/unbound/bind servers use). This is using split-horizon, DDNS from ISC DHCP and DNSSEC, so not a non-trivial setup, but it is also my home network setup so not so heavy duty as to be particularly hard to set up and automate.
I also have a round-robin DNSCRYPT setup hooked into the whole thing for semi-anonymity of queries.
This is what I do, which allows me the full gamut of BIND features without exposing those servers directly to any networks (there is a non-routed vlan that nsd/unbound/bind servers use). This is using split-horizon, DDNS from ISC DHCP and DNSSEC, so not a non-trivial setup, but it is also my home network setup so not so heavy duty as to be particularly hard to set up and automate.
I also have a round-robin DNSCRYPT setup hooked into the whole thing for semi-anonymity of queries.