Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Thanks for catching that. Should be "all better now".
A slave nameserver admin running a well-tuned instance of logcheck is the next best thing to automated service monitoring -- and less likely to wake you up with SMS alerts. ;->
And, with whatever happened in this particular case, reload wasn't sufficient to get bind also listening on TCP on the primary Internet facing IPv4 IP address ...
Wow, that's subtle -- and pernicious, in that almost all DNS queries will then work (because UDP), and the only things that won't are DNS queries with answers longer than 512 bytes (requiring TCP transport) and AXFR/IXFR zone transfers (requiring TCP transport).
(I'm explaining for the benefit of readers who may not be old hands at this.)
That's the kind of non-obvious breakage one normally sees only with attempting to pass DNS through firewall rules but forgetting that UDP isn't always sufficient.