From owner-freebsd-ports@freebsd.org  Fri Apr 14 12:37:49 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 114A5D3DAF3
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Fri, 14 Apr 2017 12:37:49 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id EEBDA2E3
 for <freebsd-ports@freebsd.org>; Fri, 14 Apr 2017 12:37:48 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: by mailman.ysv.freebsd.org (Postfix)
 id EDFD6D3DAF2; Fri, 14 Apr 2017 12:37:48 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBF48D3DAF1
 for <ports@mailman.ysv.freebsd.org>; Fri, 14 Apr 2017 12:37:48 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from mail.tyknet.dk (mail.tyknet.dk
 [IPv6:2a01:4f8:201:2327:144:76:253:226])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B12A92E2;
 Fri, 14 Apr 2017 12:37:48 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from [10.137.5.12] (nat2.hq.bornfiber.dk [185.96.91.2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.tyknet.dk (Postfix) with ESMTPSA id EBFB9A4831E;
 Fri, 14 Apr 2017 12:37:45 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk EBFB9A4831E
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default;
 t=1492173466; bh=/K+WZAG/h82tUbTkGOltolI3t+KVN15NWqkzYnDZ9PE=;
 h=To:Cc:From:Subject:Date;
 b=karQL8k9/rAi18LTBjgSQwb2rFyk9L4k5JN+F7vkx7sDkaiuxvhD9fCikElowSAzk
 2nZYyC7e7x2gY7bK9W810p9u+pPFCp4YORUJwwx6wt9WTzZyExZkf1cWHFm8sfPWvC
 07OeOaA0DIXJgp9dk9cigPJErJVM3CO9rUU9FFamjBRZGJ4HDKhZUL0jBll7IVn/DT
 s/q/LL2fsrPCTxomP9C9GCVhRS0j4owVMUZo4Tnptfw6tc5dJKnr+7nzMN7T1PsU+h
 zAsvH9+ndnJbU6ZmIVIM6PGFv7ROHfw/bU/8VGuurRnaeDTwSKeio0K0MG6vwQy2T4
 LI6lm0/jaB+tQ==
To: ports@freebsd.org
Cc: mat@freebsd.org
From: Thomas Steen Rasmussen <thomas@gibfest.dk>
Subject: default named.conf in bind ports and slaving from f-root
Message-ID: <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk>
Date: Fri, 14 Apr 2017 14:37:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Icedove/45.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 12:37:49 -0000

Hello,

Cloudflare deployed a bunch (74 apparently) of new f-root dns
servers, which do not permit AXFR like the other f-root instances
do.

Since our bind ports default configs suggest slaving . and arpa
from f-root this is a big problem in the cases where anycast
routing makes your requests hit one of the new Cloudflare
servers.

The new f-root servers appeared around two weeks ago. The
result for affected users is a nonfunctional name server when
their copy of the root zone expire. See the thread in [1] for
more info.

A good alternative could be to change named.conf to use
lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
described in [2]. My named.conf now looks like this:

-----------------------------------------

zone "." {
         type slave;
         file "/usr/local/etc/namedb/slave/root.slave";
         masters {
                 192.0.32.132;           // lax.xfr.dns.icann.org
                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
                 192.0.47.132;           // iad.xfr.dns.icann.org
                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
         };
         notify no;
};
zone "arpa" {
         type slave;
         file "/usr/local/etc/namedb/slave/arpa.slave";
         masters {
                 192.0.32.132;           // lax.xfr.dns.icann.org
                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
                 192.0.47.132;           // iad.xfr.dns.icann.org
                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
         };
         notify no;
};

-----------------------------------------

Any thoughts before I open a PR?

And what do we do about the number of running bind servers
on freebsd machines out there that are currently slaving root
from an f-root server? A simple routing change can render the
servers useless.


Best regards,

Thomas Steen Rasmussen


[1] 
https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html

[2] http://www.dns.icann.org/services/axfr/