Must the authoritative DNS server for a domain allow recursion to allow CNAME records pointing to other domains?

No you don't need to have recursion on for authoritative DNS servers. Depending on who you ask it's even considered good practice that (if possible) your authoritative server not be recursive as it's a line of defence against some DoS attacks. (Cisco's document is here for example)

A sample from my domain is below (Server is running Bind 9 and is non-recursive).

; <<>> DiG 9.5.1-P3 <<>> mail.<snip> @<my authoritative master>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;mail.<snip>.       IN  A

;; ANSWER SECTION:
mail.<snip>.        86400   IN  CNAME   ghs.google.com.
ghs.google.com.     158151  IN  CNAME   ghs.l.google.com.
ghs.l.google.com.   33    IN  A       74.125.47.121

;; AUTHORITY SECTION:
google.com.     153556  IN  NS  ns4.google.com.
google.com.     153556  IN  NS  ns2.google.com.
google.com.     153556  IN  NS  ns3.google.com.
google.com.     153556  IN  NS  ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     169823  IN  A   216.239.32.10
ns2.google.com.     169823  IN  A   216.239.34.10
ns3.google.com.     169823  IN  A   216.239.36.10
ns4.google.com.     169823  IN  A   216.239.38.10

It sounds more like a DNS misconfiguration at the Windows 2003 DNS than anything else.

Authoritative servers should NOT be configured to offer recursive service. Not even to work around a potential Microsoft bug.

I can't quote chapter and verse at the moment (if I find it I'll update). However this is very much the accepted "best common practise" for operation of DNS servers.

If some resolver in your lookup chain is returning SERVFAIL then that simply indicates a misconfiguration somewhere or that you're asking the wrong question (or the right question with the wrong flags).

In your case, the dreamhost.com servers return SERVFAIL if you ask for a recursive answer (which happens to be what nslookup does by default). They're perfectly entitled to do that, they're authoritative servers, not recursive.

On my system, if I use dig instead and specifically disable recursion I get:

% dig +norecurse @ns1.dreamhost.com mail.scotchi.net.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec @ns1.dreamhost.com mail.scotchi.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54426
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;mail.scotchi.net.  IN A

;; ANSWER SECTION:
mail.scotchi.net. 14400 IN CNAME ghs.google.com.

Dreamhost uses powerdns (ugh), just as bad .. but Windows recursive resolvers do indeed suck.

The question is , why are the Windows dns boxes at your client sites getting SERVFAIL? They shouldnt be.

And, the above poster is correct - if you're authoritative to a domain, you can have it cname, A, fail, you name it, to any domain/ip (you don't have to know the glue to the other domain).

Perhaps that's it - that the DNS resolvers that asked for your A record (and got a cname) stuck thinking it would also know the glue for heroku.com .

You could analyse the listed nameservers for the original query to see what's happening , but in a 'worse case' scenario you could just serve out 'A' records .. it'd just be a P-I-T-A.

If you want to post a realworld fail-domain that's cool; you could also PM or AIM nerdNG :p (I love finding root-cause probs with dns. Go fig)

I've been looking for "similar" questions to my own here and there seems to be quite a few similar points (e.g. Windows2003 DNS servers and SERVFAIL response)

If anyone has any link to the "potential Microsoft bug" above, would they mind posting details.

Much appreciated.