Suppress BIND authority section on authoritative server with recursion disabled
Solution 1:
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache { any; };
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
Solution 2:
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache { any; };
, it should answer REFUSED
(as expected).