Date: Fri, 14 Apr 2017 16:51:15 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: Thomas Steen Rasmussen <thomas@gibfest.dk>, ports@freebsd.org Cc: mat@freebsd.org Subject: Re: default named.conf in bind ports and slaving from f-root Message-ID: <f7ffd0b9-7749-fa2a-596f-afc4aa3db892@FreeBSD.org> In-Reply-To: <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk> References: <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I'm busy right now, could you open a PR so that I don't loose and forget
this ?
Le 14/04/2017 =C3=A0 14:37, Thomas Steen Rasmussen a =C3=A9crit :
> Hello,
>
> Cloudflare deployed a bunch (74 apparently) of new f-root dns
> servers, which do not permit AXFR like the other f-root instances
> do.
>
> Since our bind ports default configs suggest slaving . and arpa
> from f-root this is a big problem in the cases where anycast
> routing makes your requests hit one of the new Cloudflare
> servers.
>
> The new f-root servers appeared around two weeks ago. The
> result for affected users is a nonfunctional name server when
> their copy of the root zone expire. See the thread in [1] for
> more info.
>
> A good alternative could be to change named.conf to use
> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
> described in [2]. My named.conf now looks like this:
>
> -----------------------------------------
>
> zone "." {
> type slave;
> file "/usr/local/etc/namedb/slave/root.slave";
> masters {
> 192.0.32.132; // lax.xfr.dns.icann.org
> 2620:0:2d0:202::132; // lax.xfr.dns.icann.org
> 192.0.47.132; // iad.xfr.dns.icann.org
> 2620:0:2830:202::132; // iad.xfr.dns.icann.org
> };
> notify no;
> };
> zone "arpa" {
> type slave;
> file "/usr/local/etc/namedb/slave/arpa.slave";
> masters {
> 192.0.32.132; // lax.xfr.dns.icann.org
> 2620:0:2d0:202::132; // lax.xfr.dns.icann.org
> 192.0.47.132; // iad.xfr.dns.icann.org
> 2620:0:2830:202::132; // iad.xfr.dns.icann.org
> };
> notify no;
> };
>
> -----------------------------------------
>
> Any thoughts before I open a PR?
>
> And what do we do about the number of running bind servers
> on freebsd machines out there that are currently slaving root
> from an f-root server? A simple routing change can render the
> servers useless.
>
>
> Best regards,
>
> Thomas Steen Rasmussen
>
>
> [1]
> https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.h=
tml
>
> [2] http://www.dns.icann.org/services/axfr/
>
>
>
--=20
Mathieu Arnold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f7ffd0b9-7749-fa2a-596f-afc4aa3db892>