I side stepped this issue by creating a domain that does not exist in the Internet. For example, assume I have mycompany.com.
I created hq.mycompany.com in Zeroshell and then assigned internal names for all my boxes (box1.hq.mycompany.com, etc.). DNS requests for publicly accessible servers (mail.mycompany.com, http://www.mycompany.com) are passed on out to the DNS hosting company and are returned with external IP addresses.
I then set Zeroshell’s NAT capabilities to redirect local requests for the public servers to the local address(es) for the servers.
End result: I did not have to replicate all off the public DNS entries, including SPF, DKIM, SIP SRV, etc. on Zeroshell. All public address work from inside and all boxes inside have DNS names that are only available from inside. As a bonus, if I ever decide to move a public server to a hosting company I don’t have to muck with the DNS as much, and the NAT entries could even stay without hurting anything.