PowerDNS unexpected NXDomain

axfr

$ dig @10.1.1.60 internal -t AXFR 
; <<>> DiG 9.7.3 <<>> @10.1.1.60 internal -t AXFR
; (1 server found)
;; global options: +cmd
internal.		600	IN	SOA	nsa.byte.nl. hostmaster.byte.nl. 2009121500 10800 3600 604800 3600
localhost.internal.	604800	IN	A	127.0.0.1
internal.		43200	IN	NS	nsa.byte.nl.
internal.		43200	IN	NS	nsb.byte.nl.
internal.		43200	IN	NS	nsc.byte.nl.
[...]
;; Query time: 706 msec
;; SERVER: 10.1.1.60#53(10.1.1.60)
;; WHEN: Mon Jul 14 16:18:49 2014
;; XFR size: 52990 records (messages 532, bytes 1419469)

check-zone

$ pdnssec check-zone internal
Checked 52985 records of 'internal', 0 errors, 0 warnings.

db-rows.sh

# Using percona-server-server-5.5 @ Debian Squeeze
$ mysql pdns -e 'select domain_id, name, type, content, ttl from records where name in ("internal","dbint039487.c1.internal","database33.c1.internal")'
+-----------+-------------------------+-------+----------------------------------------------+-------+
| domain_id | name                    | type  | content                                      | ttl   |
+-----------+-------------------------+-------+----------------------------------------------+-------+
|      5247 | database33.c1.internal  | A     | 10.1.2.243                                   |  3600 |
|      5247 | dbint039487.c1.internal | CNAME | database33.c1.internal                       |    60 |
|      5247 | internal                | SOA   | nsa.byte.nl. hostmaster.byte.nl. 2009121500  |   600 |
|      5247 | internal                | NS    | nsa.byte.nl                                  | 43200 |
|      5247 | internal                | NS    | nsb.byte.nl                                  | 43200 |
|      5247 | internal                | NS    | nsc.byte.nl                                  | 43200 |
|      5247 | internal                | A     | 82.94.214.144                                |   600 |
+-----------+-------------------------+-------+----------------------------------------------+-------+

pdns.conf

# Running pdns-static 3.3.1-1 amd64 (deb pkg from site)

local-address=82.94.214.141,82.94.214.142,82.94.214.110,10.1.1.60

negquery-cache-ttl=0
query-cache-ttl=0

loglevel=9
allow-recursion=no
config-dir=/etc/powerdns
daemon=yes
disable-axfr=yes
guardian=yes
launch=gmysql
local-port=53
master=yes
module-dir=/usr/lib/powerdns
setgid=pdns
setuid=pdns
slave=yes
socket-dir=/var/run

gmysql-host=127.0.0.1
gmysql-user=pdns_read
gmysql-dbname=pdns
gmysql-password=xxxxxx
webserver=yes
webserver-address=0.0.0.0
webserver-port=8081

distributor-threads=5

stats

PowerDNS 3.3.1
Uptime: 7.7 minutes
Queries/second, 1, 5, 10 minute averages: 179, 122, 80.5. Max queries/second: 179
Cache hitrate, 1, 5, 10 minute averages: 41.4%, 39.3%, 39.0%
Backend query cache hitrate, 1, 5, 10 minute averages: 65.5%, 64.6%, 64.5%
Backend query load, 1, 5, 10 minute averages: 260, 187, 125. Max queries/second: 275
Total queries: 67066. Question/answer latency: 0.004ms

tcpdump

$ tcpdump -nvvr pcap-dns08 | grep -v AAAA | grep -B1 dbint039487.c1. | less

13:37:32.372046 IP (tos 0x0, ttl 64, id 24351, offset 0, flags [DF], proto UDP (17), length 69)
    10.1.2.39.9903 > 10.1.1.60.53: [udp sum ok] 553+ A? dbint039487.c1.internal. (41)
13:37:32.373650 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 152)
    10.1.1.60.53 > 10.1.2.39.9903: [udp sum ok] 553 NXDomain*- q: A? dbint039487.c1.internal. 1/1/0 dbint039487.c1.internal. CNAME database33.c1.internal. ns: internal. SOA nsa.byte.nl. hostmaster.byte.nl. 2009121500 10800 3600 604800 3600 (124)
13:37:32.373660 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 152)
    10.1.1.60.53 > 10.1.2.39.9903: [udp sum ok] 553 NXDomain*- q: A? dbint039487.c1.internal. 1/1/0 dbint039487.c1.internal. CNAME database33.c1.internal. ns: internal. SOA nsa.byte.nl. hostmaster.byte.nl. 2009121500 10800 3600 604800 3600 (124)