BIND9 DNS 服务器无法解析一个域中的两个名称

我在华硕路由器 (armv7l、ASUSWRT-Merlin) 上运行 BIND 9.18.11-3。
它是我自己的域的权威服务器，可以解析我网络上主机的 DNS 查询。

我的问题

这些澳大利亚政府网站记录返回服务失败（没有反应）：

• www.bom.gov.au
• weather.bom.gov.au

然而，这些澳大利亚政府网站记录返回无错误（附回复）：

• 搜索网站bom.gov.au
• satview.bom.gov.au
• 媒体网站bom.gov.au
• 商店网站

所有其他域名均正确解析，没有错误或失败。

这个问题大约在 1 周前（2023 年 4 月 26 日）才开始出现。在此之前，www和weather记录解析正确。在此期间，我没有更改绑定配置或区域文件（最后一次更改是 2023 年 3 月 8 日，DKIM 密钥更新）。

该weather记录由我每天使用的 BoM Android 应用程序使用。我第一次注意到这个问题时，应用程序报告“无法找到天气”。然后我尝试在 BoM 网站上查看天气（www使用台式电脑上的 Firefox），但再次失败。然后我使用 dig 手动检查路由器上的 DNS 查找，发现了这个 SERVFAIL 问题。

使用或使用公共 DNS 服务器（如）查找www和记录会返回 NOERROR 和响应。weatherdig +trace@1.1.1.1

我尝试过

• 禁用 DNSSEC
• 禁用黑洞
• 启用 IPv6 响应（通常被我的配置过滤掉）
• 清除绑定缓存
• 重新启动绑定（冷重启）

以上任何一项都不会对结果产生任何影响。

我已经打开了调试 10 日志记录（结果如下）但它并没有揭示问题的原因（至少对我来说没有）。

named-checkconf返回 0（零）

SERVFAIL 事件

[655] root@router:~ # dig weather.bom.gov.au

; <<>> DiG 9.18.11 <<>> weather.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35769
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56004f0ced2814ac010000006450775eca9d6dc5e0cf4a81 (good)
;; QUESTION SECTION:
;weather.bom.gov.au.            IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:18 AEST 2023
;; MSG SIZE  rcvd: 75

[656] root@router:~ # dig www.bom.gov.au

; <<>> DiG 9.18.11 <<>> www.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7a03ecf8730c7b270100000064507b32d860b9b9ae62d5c1 (good)
;; QUESTION SECTION:
;www.bom.gov.au.                        IN      A

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:25 AEST 2023
;; MSG SIZE  rcvd: 71

我的配置

命名配置文件

所有内容<these>均为编辑过的数据。

acl bastion {
        <my public IP>;
};

acl router {
        127.0.0.1; 192.168.9.1;
};

acl lan {
        127.0.0.1; 192.168.9.0/24; 192.168.10.0/24; 192.168.11.0/24;
};

acl blacklist {
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.0.2.0/24; 224.0.0.0/3;
        ! 192.168.9.0/24; ! 192.168.10.0/24; ! 192.168.11.0/24; 192.168.0.0/16;
};

options {
        directory               "/opt/etc/bind";
        version                 "No information";
        hostname                "bastion.<my_domain>.au";

        auth-nxdomain           no;

        allow-transfer          { none; };
        blackhole               { blacklist; };
        listen-on               { bastion; router; };
        notify                  no;

        listen-on-v6            { none; };

        dnssec-validation       auto;
};

logging {

        channel file_dbug10 {
                file            "/opt/data/logs/bind.log" versions 3 size 10M;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        debug 10;
        };

        channel syslog_info {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        info;
        };

        channel syslog_warn {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        warning;
        };

        category config         { syslog_info; };
        category default        { syslog_info; };
        category dnssec         { syslog_warn; };
        category general        { syslog_info; };
        category lame-servers   { syslog_warn; };
        category notify         { syslog_info; };
#       category queries        { syslog_info; };
#       category query-errors   { file_dbug10; };
        category resolver       { syslog_warn; };
        category security       { syslog_info; };
        category update         { syslog_info; };
        category xfer-in        { syslog_info; };
        category xfer-out       { syslog_info; };
};

include "rndc.key";

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

view internal {

        match-destinations      { router; };
        match-clients           { lan; };

        recursion               yes;
        allow-recursion         { lan; };

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.internal.<my_domain>.au";
        include "named.conf.internal.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

view external {

        match-destinations      { bastion; };
        match-clients           { any; };

        recursion               no;

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.external.<my_domain>.au";
        include "named.conf.external.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

其余绑定配置文件都是我的域（或本地主机）的区域文件。我不认为它们与此问题有关，但如果需要，我可以提供它们（已删除）。

BIND日志

以下是精简日志（查找使用缓存结果）。完整的 BIND 查找日志（从冷启动开始）可在此处获取。

02-May-2023 10:29:26.906 client: debug 3: client @0x2c629eac 127.0.0.1#52995: UDP request
02-May-2023 10:29:26.906 client: debug 5: client @0x2c629eac 127.0.0.1#52995: view internal: using view 'internal'
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: request is not signed
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: recursion available
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query (cache) 'weather.bom.gov.au/A/IN' approved
02-May-2023 10:29:26.906 resolver: debug 1: fetch: weather.bom.gov.au/A
02-May-2023 10:29:26.906 resolver: debug 10: log_ns_ttl: fctx 0x2cd69128: fctx_create: weather.bom.gov.au (in 'weather.bom.gov.au'?): 1 124171
02-May-2023 10:29:26.906 resolver: debug 5: QNAME minimization - not minimized, qmintype 1 qminname weather.bom.gov.au
02-May-2023 10:29:26.906 database: debug 5: dns_adb_createfind: found A for name a24-66.akam.net (0x2c677490) in db
02-May-2023 10:29:26.906 resolver: debug 3: fctx 0x2cd69128(weather.bom.gov.au/A): createfind for 127.0.0.1#52995 - success
02-May-2023 10:29:26.906 database: debug 5: dns_adb_destroyfind on find 0x2c660288
02-May-2023 10:29:26.906 query-errors: debug 1: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query failed (SERVFAIL) for weather.bom.gov.au/IN/A at query.c:7775
02-May-2023 10:29:26.906 query-errors: debug 2: fetch completed at resolver.c:4173 for weather.bom.gov.au/A in 0.000000: SERVFAIL/success [domain:weather.bom.gov.au,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: reset client