Bind upgrade from 9.9 to 9.14 renders some domains not resolvable
name: Bug report
about: Bind upgrade from 9.9 to 9.14
Describe the bug We've upgraded from Bind 9.9 (CentOS) to 9.14 (original Build from ISC). We have multiple domains we cannot resolve anymore. For example:
- batch.web.cddbp.net
- webapi-net.glb.gracenote.com
- respawn.com (occasionally works right after named-restart but not always)
Fun fact: If you append +trace to the dig commands (see 4. and 5. below) you can see the A-Records for the mentioned domains.
To Reproduce Steps to reproduce the behavior:
- Run Bind isc-bind-bind-9.14.2-1.1.el7.x86_64
- See attached config
- dig @localhost batch.web.cddbp.net
- dig @localhost webapi-net.glb.gracenote.com
Expected behavior Works as intended
Environment:
- Bind isc-bind-bind-9.14.2-1.1.el7.x86_64
- CentOS 7
Additional Information
// loopback
acl loopback { 127.0.0.1; ::1; };
acl management { 172.16.0.0/12; 192.168.10.0/24; };
acl ournet {
1.2.3.0/24;
};
acl ournet_ipv6 { 2a02:1234::/32; fd00:2a02:2028:a000::/64; 2a04:2345::/29; };
acl extern { 3.4.5.0/22; };
// Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets { !192.168.10.0/24; 0.0.0.0/8; 10.0.0.0/9; 192.0.2.0/24; 224.0.0.0/3; 172.16.0.0/12; 192.168.0.0/16; };
acl bogusnets_ipv6 { !fd00:2a02:2028:a000::/64; fc00::/7; };
options {
directory "/var/named";
pid-file "/run/named/named.pid";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
/* Path to ISC DLV key */
bindkeys-file "/var/named/keys/managed-keys.bind";
// conform to RFC1035
auth-nxdomain no;
managed-keys-directory "/var/named/dynamic";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
//Rate-Limmiting
fetches-per-server 200 fail;
fetches-per-zone 100 fail;
dnssec-enable yes;
dnssec-validation auto;
querylog no;
recursion yes;
tcp-clients 250;
recursive-clients 5000;
max-cache-size 10%;
//max-cache-ttl 86400;
//max-ncache-ttl 3600;
clients-per-query 200;
max-clients-per-query 2000;
// version statement - inhibited for security
// (avoids hacking any known weaknesses)
version "not currently available";
// disables all zone transfer requests
allow-transfer{"none";};
// disable zone-updates
allow-update{"none";};
allow-update-forwarding{"none";};
// Closed DNS - permits only local IPs to issue queries
// remove if an Open DNS required to support all users
// or add additional IP ranges
// in this case either allow-query or allow-recursion can be used
allow-recursion { ournet; ournet_ipv6; extern; management; loopback; };
allow-query { ournet; ournet_ipv6; extern; management; loopback; };
allow-query-cache { ournet; ournet_ipv6; extern; management; loopback; };
blackhole { bogusnets; bogusnets_ipv6;};
};
// Open STatistik-Channel-Port for zabbix
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
// Policys for VoIP-Proxy Views
include "acl/voice_proxy.acl";
//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
logging{
channel dns_cache{
file "/var/log/named/dns-cache.log" versions 3 size 50m;
severity notice;
print-severity yes;
print-time yes;
print-category yes;
};
channel dns_queries{
file "/var/log/named/dns-query.log" versions 3 size 50m;
severity notice;
print-severity no;
print-time yes;
print-category yes;
};
channel dnssec_log{
file "/var/log/named/dnssec.log" versions 3 size 50m;
severity notice;
print-severity yes;
print-time yes;
print-category yes;
};
category default {dns_cache;};
category lame-servers { null; };
category queries { dns_queries; };
category dnssec { null; };
category resolver { null; };
};
#include "keys/trusted-keys";
#include "keys/managed-keys";