BIND9 not resolving after upgrade to Ubuntu 20.04

I'm running an authoritative server using BIND 9.16.1 on Ubuntu 20.04 and recently I upgraded from Ubuntu 16.04 but I've been having issues with resolving both A records and PTR records. Everything was working fine prior to the upgrade from 16.04 to 20.04. My named.conf, named.conf.options, named.conf.local, etc configs are below. Your advice would be highly appreciated. named status

service named status
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-08-17 13:15:22 EAT; 10s ago
       Docs: man:named(8)
   Main PID: 14052 (named)
      Tasks: 14 (limit: 19110)
     Memory: 73.3M
     CGroup: /system.slice/named.service
             └─14052 /usr/sbin/named -f -u bind

Aug 17 13:15:27 dns-1 named[14052]: zone_journal: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_needdump: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: managed-keys-zone/external: Unable to fetch DNSKEY set '.': SERVFAIL
Aug 17 13:15:27 dns-1 named[14052]: set_refreshkeytimer: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: managed-keys-zone/external: next key refresh: 17-Aug-2021 14:10:47.520
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_journal: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_needdump: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/external: enter

named.conf

//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
 
logging {
 
 
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
 
};
 
channel audit_log {
// Send the security related messages to a separate file.
file "/var/named/named.log" versions 5 size 20m;
severity debug;
print-time yes;
 
};
 
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
//include "/etc/bind/bind.keys";
include "/etc/bind/named.conf.options";
 
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1918
 
//        zone "0.0.127.in-addr.arpa" {
//                type master;
//                file "localhost.rev";
//        };
 
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
 
// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies delegation-only
//  logic to all top level domains, and to the root domain.  An exception list
//  should be specified, including "MUSEUM" and "DE", and any other top level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
 
include "/etc/bind/named.conf.local";

named.conf.local

    match-clients { hotspots; };
//    recursion yes;
    allow-recursion { hotspots; };
        zone "." {
                type hint;
                file "/var/named/root.cache";
        };
        zone "0.0.127.in-addr.arpa" {
                type master;
                file "localhost.rev";
        };
 
        zone "hotspot.domain.com" IN {
                type master;
                file "named.redirect.hotspot";
        };
        zone "internet.domain.com" IN {
                type slave;
                file "slave/slave.internet.com";
                masters {1.2.3.4;};
        };
        zone "ppg.domain.com" IN {
                type slave;
                file "slave/slave.ppg.com";
                masters {1.2.3.4;};
        };
};
 
view "external" {
    match-clients { any; };
//   recursion yes;
    allow-recursion { recurseallow; };
//      zone "example.com" {
//              type master;
//              file "externals/db.example.com";
//              allow-transfer { slaves; };
//      };
        zone "." {
                type hint;
                file "/var/named/root.cache";
        };
        zone "0.0.127.in-addr.arpa" {
                type master;
                file "localhost.rev";
        };
 
        zone "domain.com" in {
                type master;
                file "domain.com.zone";
                allow-transfer { 5.6.7.8; };
        };
[...]
include "/var/named/reverse/named.conf.reverse";
};

named.conf.options

options {
        pid-file "/var/run/bind/run/named.pid";
        directory "/var/cache/bind";
        auth-nxdomain no;
        allow-recursion { none; };
 
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
 
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
 
        // forwarders {
        //      0.0.0.0;
        // };
 
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        query-source address * port 53;
 
        dnssec-validation auto;
 
        listen-on-v6 { any; };
};
  // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing

syslog

Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34752 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c4c0cb690 172.217.33.195#53951 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c50064bc0 82.148.111.5#41317 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 62.28.40.174#57295 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34654 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
ailed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c50064bc0 82.148.111.5#41317 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 62.28.40.174#57295 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34654 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c401962b0 162.13.174.235#60896 (x.x.x.x.in-addr.arpa): view external: query  

named-checkzone

# named-checkzone domain.com named.1.2.3
zone domain.com/IN: NS 'ns1.domain.com' has no address records (A or AAAA)
zone domain.com/IN: NS 'ns2.domain.com' has no address records (A or AAAA)
zone domain.com/IN: not loaded due to errors.

# named-checkzone domain.com /var/named/domain.com.zone
/var/named/domain.com.zone:4: SOA record not at top of zone (domain.com.domain.com)
/var/named/domain.com.zone:218: TTL set to prior TTL (3600)
zone domain.com/IN: loading from master file /var/named/domain.com.zone failed: not at top of zone
zone domain.com/IN: not loaded due to errors.

/var/named/domain.com.zone

$TTL 86400
$ORIGIN domain.com

@       IN      SOA     ns1.domain.com.        techs.domain.com. (

                        2021081702    ; serial, todays date + todays
                        1H              ; refresh, seconds
                        2H              ; retry, seconds
                        2W              ; expire, seconds
                        1H )            ; minimum, seconds

;IN NS
@       IN      NS      ns1.domain.com.
        IN      NS      ns4.domain.tld.
;       IN      NS      dns-1.domain.com.

; For the IronPort devices

domain.com.      IN      A       1.2.3.4
ns1           IN      A       5.6.7.8

Trailing dot in the zone file was missing. Zone is loading now.