Thanks, yes one of those name servers was just added for testing, and I forgot it was still there! After increasing bind9's debugging level I don't see any SERVFAIL errors but I see this:
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: signer "certbot-key" approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone 'malcolm.id.au/IN': adding an RR at '_acme-challenge.db.malcolm.id.au' TXT "ukIxzs7E2I17aJpdMEKPRfLx-vluz3k4Dbqfk8I1N3c"
Apr 14 17:56:22 server named[25909]: /etc/bind/db.malcolm.id.au.jnl: open: permission denied
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone 'malcolm.id.au/IN': error: journal open failed: unexpected error
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: signer "certbot-key" approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: updating zone 'malcolm.id.au/IN': deleting an RR at _acme-challenge.db.malcolm.id.au TXT
I opened up the permissions on /etc/bind to see if that would help with the permission denied error, but it didn't. I'm not sure if this is related to the problem that I'm seeing, anyway.