Default BIND installation on CentOS could not resolve some known hostnames. However, it did work for most of the other sites.
The configuration used forwarding which resulted in the error (
/var/log/messages) similar to this:
Dec 14 12:21:33 master named: error (no valid RRSIG) resolving 'example.com/DS/IN': 192.168.122.1#53 Dec 14 12:21:33 master named: error (no valid DS) resolving 'example.com/A/IN': 192.168.122.1#53
The problem was enabled DNSSEC on the local BIND server. It refused to return non-validated answers. In order to switch it off, modify
/etc/named.conf to use these lines:
dnssec-enable no; dnssec-validation no;