intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

I have a BIND (9.9.4)[1] server that runs well most of the time, but
periodically it will start returning SERVFAIL for very high-level
domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
seems to happen most frequently with Google domains, but I wonder if
that is just a reflection on the percentage of queries I have for those
here.

In any case when this happens, it will last a few minutes until it
resolves itself and/or I issue an "rndc reload".  That always seems to
correct it if I don't care to wait it out.

I'm wondering what the steps are to try to get to the bottom of this.

I have a db dump (rndc dumpdb) as well as some trace (rndc trace x10)
while this is happening.  Is this enough?  If so, what should I look
for as a cause of the SERVFAILs?

If not, what more do I need to collect?  Do I need tracing enabled
before the situation happens?  What level (how many "rndc trace"s
should I run)?

Very greatful for any help.

Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180117/d02eaf55/attachment.bin>