Bind upgrade from 9.9 to 9.14 renders some domains not resolvable
name: Bug report
about: Bind upgrade from 9.9 to 9.14Describe the bug We've upgraded from Bind 9.9 (CentOS) to 9.14 (original Build from ISC). We have multiple domains we cannot resolve anymore. For example:
- batch.web.cddbp.net
- webapi-net.glb.gracenote.com
- respawn.com (occasionally works right after named-restart but not always)
Fun fact: If you append +trace to the dig commands (see 4. and 5. below) you can see the A-Records for the mentioned domains.
To Reproduce Steps to reproduce the behavior:
- Run Bind isc-bind-bind-9.14.2-1.1.el7.x86_64
- See attached config
- dig @localhost batch.web.cddbp.net
- dig @localhost webapi-net.glb.gracenote.com
Expected behavior Works as intended
Environment:
- Bind isc-bind-bind-9.14.2-1.1.el7.x86_64
- CentOS 7
Additional Information
// loopback
acl loopback { 127.0.0.1; ::1; };
acl management { 172.16.0.0/12; 192.168.10.0/24; };
acl ournet {
1.2.3.0/24;
};
acl ournet_ipv6 { 2a02:1234::/32; fd00:2a02:2028:a000::/64; 2a04:2345::/29; };
acl extern { 3.4.5.0/22; };
// Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets { !192.168.10.0/24; 0.0.0.0/8; 10.0.0.0/9; 192.0.2.0/24; 224.0.0.0/3; 172.16.0.0/12; 192.168.0.0/16; };
acl bogusnets_ipv6 { !fd00:2a02:2028:a000::/64; fc00::/7; };
options {
directory "/var/named";
pid-file "/run/named/named.pid";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
/* Path to ISC DLV key */
bindkeys-file "/var/named/keys/managed-keys.bind";
// conform to RFC1035
auth-nxdomain no;
managed-keys-directory "/var/named/dynamic";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
//Rate-Limmiting
fetches-per-server 200 fail;
fetches-per-zone 100 fail;
dnssec-enable yes;
dnssec-validation auto;
querylog no;
recursion yes;
tcp-clients 250;
recursive-clients 5000;
max-cache-size 10%;
//max-cache-ttl 86400;
//max-ncache-ttl 3600;
clients-per-query 200;
max-clients-per-query 2000;
// version statement - inhibited for security
// (avoids hacking any known weaknesses)
version "not currently available";
// disables all zone transfer requests
allow-transfer{"none";};
// disable zone-updates
allow-update{"none";};
allow-update-forwarding{"none";};
// Closed DNS - permits only local IPs to issue queries
// remove if an Open DNS required to support all users
// or add additional IP ranges
// in this case either allow-query or allow-recursion can be used
allow-recursion { ournet; ournet_ipv6; extern; management; loopback; };
allow-query { ournet; ournet_ipv6; extern; management; loopback; };
allow-query-cache { ournet; ournet_ipv6; extern; management; loopback; };
blackhole { bogusnets; bogusnets_ipv6;};
};
// Open STatistik-Channel-Port for zabbix
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
// Policys for VoIP-Proxy Views
include "acl/voice_proxy.acl";
//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
logging{
channel dns_cache{
file "/var/log/named/dns-cache.log" versions 3 size 50m;
severity notice;
print-severity yes;
print-time yes;
print-category yes;
};
channel dns_queries{
file "/var/log/named/dns-query.log" versions 3 size 50m;
severity notice;
print-severity no;
print-time yes;
print-category yes;
};
channel dnssec_log{
file "/var/log/named/dnssec.log" versions 3 size 50m;
severity notice;
print-severity yes;
print-time yes;
print-category yes;
};
category default {dns_cache;};
category lame-servers { null; };
category queries { dns_queries; };
category dnssec { null; };
category resolver { null; };
};
#include "keys/trusted-keys";
#include "keys/managed-keys";