Looking at the dig flags it suggests you changed your config.
_my_ config is untouched.
drop back to v9.21.14, all's good again.
9.21.15 introduces a new rndc command `showconf -effective`. The output of this
command would be useful.
reproduced on a couple of server instances.
also, with different/older dig client versions.
in all cases, v9.21.14 and prior, good.
on my local dev box,
$ rndc showconf -effective
...
WAY too noisy/verbose for my taste, so redacted ... hth
$ rndc showconf -effective
acl "..." {
...
};
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.0/8;
::1/128;
"localhost";
} keys {
...
};
...
};
dnssec-policy "default" {
cdnskey yes;
cds-digest-types {
"2";
};
dnskey-ttl 3600;
inline-signing yes;
keys {
csk key-directory lifetime unlimited algorithm 13;
};
manual-mode no;
max-zone-ttl 86400;
offline-ksk no;
parent-ds-ttl 86400;
parent-propagation-delay 3600;
publish-safety 3600;
purge-keys P90D;
retire-safety 3600;
signatures-jitter PT12H;
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
zone-propagation-delay 300;
};
dnssec-policy "insecure" {
inline-signing yes;
keys {
};
manual-mode no;
max-zone-ttl 0;
};
dnssec-policy "defaultpol" {
dnskey-ttl PT1H;
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime P90D algorithm 13;
};
max-zone-ttl P1D;
nsec3param iterations 0 optout no salt-length 0;
parent-ds-ttl PT1H;
parent-propagation-delay PT1H;
publish-safety PT1H;
purge-keys P30D;
retire-safety PT1H;
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
zone-propagation-delay PT5M;
};
http "server-http" {
endpoints {
"/dns-query";
};
};
logging {
...
};
masters ... {
...
};
options {
answer-cookie yes;
automatic-interface-scan no;
cookie-algorithm siphash24;
directory "/etc/named";
dnstap-identity hostname;
dump-file "/var/cache/named/cache_dump.db";
flush-zones-on-shutdown yes;
geoip-directory "/usr/share/GeoIP";
interface-interval 3600;
listen-on port 53 {
...
127.0.0.1/32;
};
listen-on-v6 port 53 {
...
::1/128;
};
managed-keys-directory "managed-keys";
match-mapped-addresses no;
max-rsa-exponent-size 0;
memstatistics yes;
memstatistics-file "namedb/stats/named.mem_stats";
notify-rate 100;
pid-file "/run/named/named.pid";
port 53;
tls-port 853;
http-port 80;
http-listener-clients 300;
http-streams-per-connection 100;
https-port 8453;
recursing-file "named.recursing";
recursive-clients 1000;
reuseport yes;
secroots-file "named.secroots";
serial-query-rate 100;
server-id none;
session-keyalg "hmac-sha512";
session-keyfile "/run/named/session.key";
session-keyname "local-ddns";
sig0checks-quota 1;
startup-notify-rate 100;
statistics-file "namedb/stats/named.stats";
tcp-advertised-timeout 300;
tcp-clients 100;
tcp-idle-timeout 300;
tcp-initial-timeout 300;
tcp-keepalive-timeout 300;
tcp-listen-queue 10;
tcp-primaries-timeout 150;
tcp-receive-buffer 0;
tcp-send-buffer 0;
transfer-message-size 20480;
transfers-in 10;
transfers-out 50;
transfers-per-ns 2;
udp-receive-buffer 0;
udp-send-buffer 0;
update-quota 100;
version "not disclosed";
allow-new-zones no;
allow-proxy {
"none";
};
allow-proxy-on {
"any";
};
allow-query-cache {
"none";
};
allow-query-cache-on {
"any";
};
allow-recursion {
"none";
};
allow-recursion-on {
"any";
};
auth-nxdomain no;
check-names primary fail;
check-names response ignore;
check-names secondary warn;
clients-per-query 10;
disable-empty-zone "168.192.IN-ADDR.ARPA";
dnssec-accept-expired no;
dnssec-validation auto;
edns-udp-size 4096;
empty-contact ".";
empty-zones-enable yes;
fetch-quota-params 100 0.10 0.30 0.70;
fetches-per-server 0;
fetches-per-zone 0;
ixfr-from-differences no;
lame-ttl 0;
lmdb-mapsize 33554432;
max-cache-size unlimited;
max-cache-ttl 3600;
max-clients-per-query 100;
max-ncache-ttl 900;
max-recursion-depth 7;
max-recursion-queries 50;
max-query-count 200;
max-query-restarts 11;
max-stale-ttl 86400;
max-udp-size 1232;
message-compression yes;
min-cache-ttl 0;
min-ncache-ttl 0;
minimal-any no;
minimal-responses yes;
nocookie-udp-size 4096;
nta-lifetime 3600;
nta-recheck 300;
prefetch 2 9;
provide-ixfr yes;
qname-minimization relaxed;
query-source 0.0.0.0;
query-source-v6 ::;
recursion no;
request-nsid no;
request-zoneversion no;
require-server-cookie no;
resolver-query-timeout 10;
response-padding {
"none";
} block-size 0;
root-key-sentinel yes;
rrset-order {
order cyclic;
};
send-cookie yes;
servfail-ttl 1;
sig0key-checks-limit 16;
sig0message-checks-limit 2;
stale-answer-enable no;
stale-answer-client-timeout off;
stale-answer-ttl 30;
stale-cache-enable no;
stale-refresh-time 30;
synth-from-dnssec yes;
transfer-format many-answers;
trust-anchor-telemetry yes;
resolver-use-dns64 no;
v6-bias 50;
zero-no-soa-ttl-cache no;
allow-notify {
"none";
};
allow-query {
"none";
};
allow-query-on {
"any";
};
allow-transfer {
"none";
};
allow-update-forwarding {
"none";
};
check-dup-records warn;
check-integrity yes;
check-mx warn;
check-mx-cname warn;
check-sibling yes;
check-spf ignore;
check-srv-cname warn;
check-svcb yes;
check-wildcard yes;
dnssec-loadkeys-interval 1;
dnssec-policy "none";
key-directory "keys/dnssec";
masterfile-format text;
max-ixfr-ratio 1%;
max-journal-size 51200;
max-records 0;
max-records-per-type 100;
max-types-per-name 100;
max-refresh-time 2419200;
max-retry-time 1209600;
min-transfer-rate-in 10240 5;
max-transfer-idle-in 60;
max-transfer-idle-out 60;
max-transfer-time-in 120;
max-transfer-time-out 120;
min-refresh-time 300;
min-retry-time 500;
multi-master no;
notify no;
notify-defer 0;
notify-delay 5;
notify-source ...;
notify-source-v6 ::;
notify-to-soa no;
nsec3-test-zone no;
parental-source 0.0.0.0;
parental-source-v6 ::;
provide-zoneversion yes;
send-report-channel ".";
request-expire yes;
request-ixfr yes;
request-ixfr-max-diffs 0;
serial-update-method unixtime;
sig-signing-nodes 100;
sig-signing-signatures 10;
sig-signing-type 65534;
transfer-source ...;
transfer-source-v6 ::;
try-tcp-refresh yes;
zero-no-soa-ttl yes;
zone-statistics yes;
};
parental-agents "parental_agents" {
1.1.1.1;
2606:4700:4700::1111;
9.9.9.9;
2620:fe::fe;
};
remote-servers "_default_iana_root_zone_primaries" {
2801:1b8:10::b;
2001:500:2::c;
2001:500:2f::f;
2001:500:12::d0d;
2001:7fd::1;
2620:0:2830:202::132;
2620:0:2d0:202::132;
170.247.170.2;
192.33.4.12;
192.5.5.241;
192.112.36.4;
193.0.14.129;
192.0.47.132;
192.0.32.132;
};
statistics-channels {
inet 127.0.0.1 port 19154 allow {
127.0.0.1/32;
::1/128;
};
};
tls "server-tls" {
key-file ...;
cert-file ...;
protocols {
"TLSv1.3";
"TLSv1.2";
};
prefer-server-ciphers yes;
session-tickets no;
};
view "external-chaos" chaos {
match-clients {
"any";
};
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "namedb/primary/db.bind.zone";
allow-query {
"acl_defaultpol_lan";
};
allow-transfer {
"none";
};
};
recursion no;
};
view "external" {
match-clients {
...
};
zone "." IN {
type hint;
file "/var/lib/named/named.root";
};
zone ... IN {
...
};
allow-new-zones yes;
allow-recursion {
key "...-key";
key "...-key";
};
check-names master ignore;
rate-limit {
responses-per-second 15;
window 2;
};
recursion yes;
allow-query {
"any";
};
allow-transfer {
key "...";
"defaultpol_trusted_hosts";
};
allow-update {
"none";
};
also-notify {
"...";
};
key-directory "keys/dnssec";
notify explicit;
};
view "internal" {
match-clients {
...
"acl_defaultpol_lan";
"localhost";
};
zone "." IN {
type hint;
file "/var/lib/named/named.root";
};
zone "localhost" IN {
type master;
file "namedb/primary/localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "namedb/primary/db.0.0.127.in-addr.arpa";
};
zone "168.192.in-addr.arpa" IN {
type master;
file "namedb/primary/db.168.192.in-addr.arpa";
};
zone "..." {
...
}
allow-recursion {
"any";
};
recursion yes;
allow-query {
...
"acl_defaultpol_lan";
"localhost";
};
allow-transfer {
key "...-key";
"defaultpol_trusted_hosts";
};
dnssec-policy "none";
notify no;
};
view "_bind" chaos {
zone "version.bind" chaos {
type primary;
database "_builtin version";
};
zone "hostname.bind" chaos {
type primary;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type primary;
database "_builtin authors";
};
zone "id.server" chaos {
type primary;
database "_builtin id";
};
allow-new-zones no;
max-cache-size 2097152;
rate-limit {
min-table-size 10;
responses-per-second 3;
slip 0;
};
recursion no;
notify no;
provide-zoneversion no;
};
key "..." {
...
};
server fe80::/10 {
bogus yes;
};
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
