bind 9.11.3 - resolving troubles running as a caching server

Wed Nov 20 10:44:14 UTC 2019

Hello list
I'm glad there is such an active list. Hope there is anybody out there
who can help me with my little problem. :-)
We are running six bind server ( all Ubuntu LTS 18.04 with bind 9.11.3
), so they are pretty up to date.
Three of them have authoritative zones, one is for testing and two are
just caching servers. And there starts my problem.
1. It only appears on my caching servers and only if I use my other
servers as forwarders.
2. At the moment the problem appears on my chaching servers I'm still
able to let it resolve through my forwarders.
3. Only one organisation with several newspapers are affected. There may
be others but I don't know at the moment.

Ok, all these newspapers are hosted on oraclecloud with short timers
around 30s.

# dig
;; ANSWER SECTION:           39      IN      CNAME 16 IN CNAME 16 IN CNAME 28 IN A 28 IN A 28 IN A

# dig
;; ANSWER SECTION:   113     IN      CNAME 113    IN      CNAME 11 IN CNAME 12 IN CNAME 12 IN A 12 IN A 12 IN A

Now if I use my caching servers with forwarders enabled I run quite
often into cases where resolving stops working for theses two domains at
the same time.
When I take a dump I see the following line:
; answer 893 \-AAAA ;-$NXRRSET

I have to clear this host from cache to make it working again, for a few
The stupid thing, this NXRRSET cache entry has a much higher lifetime.
And so resolving stops working on my caching servers for more then 15min.

Any idea how I could find out why this happens?
There must be something between my DNS servers. They are in the same
network, so there is no firewall between.

Many thanks and regards

