From owner-freebsd-ports@freebsd.org Fri Apr 14 12:37:49 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 114A5D3DAF3 for ; Fri, 14 Apr 2017 12:37:49 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EEBDA2E3 for ; Fri, 14 Apr 2017 12:37:48 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: by mailman.ysv.freebsd.org (Postfix) id EDFD6D3DAF2; Fri, 14 Apr 2017 12:37:48 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBF48D3DAF1 for ; Fri, 14 Apr 2017 12:37:48 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:201:2327:144:76:253:226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B12A92E2; Fri, 14 Apr 2017 12:37:48 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from [10.137.5.12] (nat2.hq.bornfiber.dk [185.96.91.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id EBFB9A4831E; Fri, 14 Apr 2017 12:37:45 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk EBFB9A4831E DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1492173466; bh=/K+WZAG/h82tUbTkGOltolI3t+KVN15NWqkzYnDZ9PE=; h=To:Cc:From:Subject:Date; b=karQL8k9/rAi18LTBjgSQwb2rFyk9L4k5JN+F7vkx7sDkaiuxvhD9fCikElowSAzk 2nZYyC7e7x2gY7bK9W810p9u+pPFCp4YORUJwwx6wt9WTzZyExZkf1cWHFm8sfPWvC 07OeOaA0DIXJgp9dk9cigPJErJVM3CO9rUU9FFamjBRZGJ4HDKhZUL0jBll7IVn/DT s/q/LL2fsrPCTxomP9C9GCVhRS0j4owVMUZo4Tnptfw6tc5dJKnr+7nzMN7T1PsU+h zAsvH9+ndnJbU6ZmIVIM6PGFv7ROHfw/bU/8VGuurRnaeDTwSKeio0K0MG6vwQy2T4 LI6lm0/jaB+tQ== To: ports@freebsd.org Cc: mat@freebsd.org From: Thomas Steen Rasmussen Subject: default named.conf in bind ports and slaving from f-root Message-ID: <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk> Date: Fri, 14 Apr 2017 14:37:44 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2017 12:37:49 -0000 Hello, Cloudflare deployed a bunch (74 apparently) of new f-root dns servers, which do not permit AXFR like the other f-root instances do. Since our bind ports default configs suggest slaving . and arpa from f-root this is a big problem in the cases where anycast routing makes your requests hit one of the new Cloudflare servers. The new f-root servers appeared around two weeks ago. The result for affected users is a nonfunctional name server when their copy of the root zone expire. See the thread in [1] for more info. A good alternative could be to change named.conf to use lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as described in [2]. My named.conf now looks like this: ----------------------------------------- zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "arpa" { type slave; file "/usr/local/etc/namedb/slave/arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; ----------------------------------------- Any thoughts before I open a PR? And what do we do about the number of running bind servers on freebsd machines out there that are currently slaving root from an f-root server? A simple routing change can render the servers useless. Best regards, Thomas Steen Rasmussen [1] https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html [2] http://www.dns.icann.org/services/axfr/