From a practical point of view, I gotta ask why it's necessary to resolve your internal machines?
There have to be hundreds of different opinions about "how" to use dns, and I have my own preferences as you do, but for me, to have an Internet accessible dns server resolving "non-internet" services seems unnecessary..
To make 'machine1.mydomain.com' resolve to a non-routable network goes against the RFCs..
I rather prefer to install a small dns proxy eg dnsmasq
internally to do that, which then uses your bind server as well as external servers to resolve Internet numbers.
A separate hosts file is maintained containing all your local, dmz and dynamic numbers. It can even check dhcp records..
Getting back to Bind..
Have a look at this mailimg list question to get an idea on setting up access control with 'views'
for a correction..