Não é possível adicionar o mapa a seguir…: SERVFAIL

Erro do DHCPD [4.3.5]:

Unable to add forward map from nvhenz710.hen.mentats.us to 172.24.1.31: SERVFAIL

não erra no BIND 9.11.1-P2-RedHat-9.11.1-2.P2.fc26

$  groups named dhcpd
named : named dhcpd
dhcpd : dhcpd named

selinux permissive

tcpdump parece limpo (está falando para ligar no mesmo servidor)

named.conf:

//
// named.conf
//

options {
       listen-on port 53 { 127.0.0.1; 172.24.251.251;};
       /* listen-on-v6 port 53 { ::1; }; */
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { 172.24.0.0/16; 192.168.122.0/24; localnets; };
       allow-update     { 172.24.0.0/16; localnets; };
       recursion yes;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/bind/bind.keys.v9_11";

       managed-keys-directory "/var/named/dynamic";
       forwarders {
               8.8.8.8;
               8.8.4.4;
               };

   disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};


zone "." IN {
       type hint;
       file "named.ca";
};


include "/etc/named.root.key";

//
// Do any local configuration here
//
//
// max logging template
//
//logging {
//category "default" { "debug"; };
//category "general" { "debug"; };
//category "database" { "debug"; };
//category "security" { "debug"; };
//category "config" { "debug"; };
//category "resolver" { "debug"; };
//category "xfer-in" { "debug"; };
//category "xfer-out" { "debug"; };
//category "notify" { "debug"; };
//category "client" { "debug"; };
//category "unmatched" { "debug"; };
//category "network" { "debug"; };
//category "update" { "debug"; };
//category "queries" { "debug"; };
//category "dispatch" { "debug"; };
//category "dnssec" { "debug"; };
//category "lame-servers" { "debug"; };
//channel "debug" {
//file "/var/named/data/nameddbg" versions 2 size 50m;
//print-time yes;
//print-category yes;
//};
//};
//
logging {
category "general" { "debug"; };

category "unmatched" { "debug"; };
category "queries" { "debug"; };
category "resolver" { "debug"; };

category "update" { "debug"; };
category "security" { "debug"; };
channel "debug" {
       syslog;
       print-time yes;
       print-category yes;
       };
};


// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


#make sure permissions are -rw-r-----. 1 root named
include "/etc/rndc.key";


acl "xfer" {
       /* Deny transfers by default except for the listed hosts.
        * If we have other name servers, place them here.
        */
       172.24.241.241;
       172.24.242.242;
       172.24.243.243;
       172.24.252.252;
};


/*
* DNSSEC Look-aside Validation  
* see https://www.isc.org/downloads/bind/dlv/#dlv_key
*/
trusted-keys {
dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju
oZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58
dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0
PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTw
FlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOw
IeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZ
fSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
};

/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
       172.24.250.250;
       172.24.251.251;
       172.24.252.252;
       172.24.241.241;
       172.24.242.242;
       172.24.243.243;
       127.0.0.0/8;
       ::1/128;
};


//zone "localhost" IN {
//      type master;
//      file "pri/localhost.zone";
//      notify no;
//};

//zone "127.in-addr.arpa" IN {
//      type master;
//      file "pri/127.zone";
//      notify no;
//};

/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
* filter out "wildcard" or "synthesized" data from NAT boxes or from
* authoritative name servers whose undelegated (in-zone) data is of no
* interest.
* See http://www.isc.org/software/bind/delegation-only for more info
*/

zone "hen.mentats.us." {
       type master;
       file "zones/hen.mentats.us.hosts";
       allow-update  { 172.24.0.0/16; localnets; };
       };      //end hen zone

zone "24.172.in-addr.arpa." {
       type master;
       file "zones/172.24.rev";
       };      // end 172.24/16 zone

zone "122.168.192.in-addr.arpa." {
       type master;
       file "zones/192.168.122.rev";
       };      // end 1.168 zone


controls {
       inet 172.24.251.251 allow { any; } keys { "rndc-key"; };
       inet 172.24.252.252 allow { any; } keys { "rndc-key"; };
       inet 172.24.241.241 allow { any; } keys { "rndc-key"; };
       inet 172.24.242.242 allow { any; } keys { "rndc-key"; };
       inet 172.24.243.243 allow { any; } keys { "rndc-key"; };
       inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
       };

named e zones estão em um local não padrão

$ ll -a /var/named/zones/
drwxrwxr-x. 1 named named  166 Sep 17 22:27 ./
drwxr-x---. 1 root  named  148 Sep 16 14:08 ../
-rw-rw-r--. 1 named named 1.8K Sep 16 14:06 172.24.rev
-rw-rw-r--. 1 named named    0 Sep 17 22:27 172.24.rev.jnl
-rw-rw-r--. 1 named named  358 Sep 16 14:06 192.168.122.rev
-rw-rw-r--. 1 named named 2.9K Sep 16 14:06 hen.mentats.us.hosts
-rw-rw-r--. 1 named named    0 Sep 17 21:33 hen.mentats.us.hosts.jnl

Alguma sugestão sobre como obter mais detalhes sobre por que / como está falhando?

Existe um log BIND que posso ativar que perdi