DNS subdomain (child) NS records

domain-name-system ns-record

Solution 1:

The way it works

The authoritative NS records reside inside the zone itself (and provided in ANSWER section when the authoritative server is queried), just like all other records that are part of that zone.

To be able to traverse the tree, referral/delegation/authority information (NS and any glue A/AAAA records necessary) is also added to the parent zone.
This information, however, is not treated as the "real answer", the answer lacks the AA (authoritative answer) flag and the NS records are in the AUTHORITY section to indicate that this is just information on who has the actual answer.
One implication of this is that if you do a direct lookup of NS records you will follow this referral and query the authoritative server despite having just seen what should be the same information.

Why was it defined to work this way?

Presumably because it was considered proper/clean/logical that all authoritative records reside inside the zone that they belong to and that there should be authoritative records also for NS.

Could this have been defined differently?

Yes. Look at for instance how DS records were defined when introduced much later. In that case there is no such record inside the child zone, instead it's the parent that is authoritative.

Can I do it differently?

No. Because it was defined the way it was and all the software out there works based on how it was defined, things will break (often in subtle ways) if you don't do it properly.

tl;dr

You need the same NS records both in your zone and as delegation information in the parent zone. Much the same way, any glue A/AAAA records also need to actually exist as real authoritative records.

Solution 2:

Much as I hate to disagree with my esteemed colleague, the NS records within the zone do serve some purposes. For example, the 1ary NS needs to know who all the other NSes are so that in the event of a zone update it can send them all DNS NOTIFYs, so they know to perform zone transfers. This information it gets from those in-zone NS records.

As for DS records having no in-zone counterpart, the DS is a simple digest of the in-zone KSK DNSKEY record. That record, just like the NS records, would have been mirrored in- and out-zone were it not for the considerable length of KSK records, and the performance implications for domains with tens of millions of child entries, such as .com, of maintaining a similar number of records of arbitrary length. Thus the decision to keep only a digest in the parent zone - but they are still the same record, and the in- and out-zone copies must match, just as with NS records.

tl; dr

Håkan is right; you need those in-zone records, and they really ought to match the out-zone (glue) copies. Generally, don't violate RFCs unless you're really sure you know what you're doing.

Related

How do I assign a memory limit for mySQL?
unable to schedule a task (access denied)
Does anyone have any experience when it comes to speed of Amazon RDS vs MySQL on a Small server?
Ubuntu 18.04 doesn't load iptables rules after reboot
Wildcard for A and MX records possible?
What settings does Windows use to determine network location?
Current wisdom on SQL Server and Hyperthreading?
How do you disable "stealth mode" on Windows Server 2008?
Windows Update: can't apply updates even as domain admin on Server 2008 R2
Load balancing MySQL using HAProxy: Got an error reading communication packets?
How can the Address condition in a Match conditional block in sshd_config be negated?
Unable to dcpromo new 2008 Server in 2000 domain