Change in Behaviour for host zone entries
Summary
I had a working setup that resolved a number of hosts in a domain as masterzone Example.com. There are 100's hosts in this file. However for some exception host address the request is forwarded to another DNS server. I.E. external-1.example.com and external-2.example.com are recursavly looked up as they are not in the master zone and in this case sent to another DNS server which will resolve them. The below config use to work for many years however appears to no longer work.
zone "external-1.example.com" {
type forward;
forwarders { 8.8.8.8; 8.8.4.4; };
};
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
BIND version used
BIND 9.10.3-P4-Debian <id:ebd72b3>
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-3STTN9/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.0.2r 26 Feb 2019
linked to OpenSSL version: OpenSSL 1.0.2r 26 Feb 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
Steps to reproduce
The below config use to work for many years however appears to no longer work.
zone "external-1.example.com" {
type forward;
forwarders { 8.8.8.8; 8.8.4.4; };
};
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
What is the current bug behavior?
Response no longer gets forwarded and returns SERVFAIL
dig external-1.example.com @192.168.255.16
; <<>> DiG 9.10.3-P4-Debian <<>> external-1.example.com @192.168.255.16
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21852
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;external-1.example.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.255.16#53(192.168.255.16)
;; WHEN: Fri Jun 21 10:59:36 BST 2019
;; MSG SIZE rcvd: 58
What is the expected correct behavior?
Domain is looked up on 8.8.8.8 in this example and result sent.
Relevant configuration files
Config above
Relevant logs and/or screenshots
Config above
Possible fixes
This was working recently so it looks like regression issue maybe?