dnsmasq: one domain, half private, half public?
Solution 1:
Is this a common setup?
I've seen multiple questions on ServerFault asking for a similar setup as you want, so I'm guessing it's a common setup. But since it's not really possible, I would state it's a common setup by administrators who not really understand how DNS works. (Sorry, I do not wish to offend you - nor anyone else on this forum).
I've provided a possible answer to the question where one hosts both the internal DNS server as well as the external DNS server here. However this answer uses BIND as the DNS server, not dnsmasq.
Is it doable (with dnsmasq)?
As stated before, it's not possible to be authoritative for a given zone and forward the query to a different nameserver if you don't have the answer yourself. The answer I provided in the other question is a work-around.
Is there a canonical way for organizations to configure their DNS when they use the same domain for both public and private presences?
I would say they either use a subdomain internally or use split DNS. Records that need to be in both internal and external views will need to be copied in both zones. This can be simplified using automation (e.g. Ansible).