Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Apr 2017 11:30:05 +0200
From:      Thomas Steen Rasmussen <thomas@gibfest.dk>
To:        George Mitchell <george+freebsd@m5p.com>, ports@freebsd.org
Cc:        mat@freebsd.org
Subject:   Re: default named.conf in bind ports and slaving from f-root
Message-ID:  <d8685cf9-4a42-6faf-5195-dd97d35b9c4a@gibfest.dk>
In-Reply-To: <db0f672e-d457-0e9b-cdb7-40576db8aaac@m5p.com>
References:  <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk> <db0f672e-d457-0e9b-cdb7-40576db8aaac@m5p.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 04/16/2017 04:02 AM, George Mitchell wrote:
> On 04/14/17 08:37, Thomas Steen Rasmussen wrote:
>> Hello,
>>
>> Cloudflare deployed a bunch (74 apparently) of new f-root dns
>> servers, which do not permit AXFR like the other f-root instances
>> do.
>> [...]
>> A good alternative could be to change named.conf to use
>> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
>> described in [2]. My named.conf now looks like this:
>> [...]
> Does this issue affect me if I use type "hint" for zone "." like this:
>
> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
>
> -- George
>
Hello,

Someone else already responded, but for the record: No,
it does not. Slaving the root zone is an alternative to using
the hints file. The advantage is that the data is always
uptodate. The disadvantage is stuff like this, obviously.

The reason many FreeBSD users have bind slaving . from
f-root rather than using the hints file is that the default
named.conf from ports strongly suggests doing so,
although it is not actually the default.

The root zone is not static, which is why we are trying
to get away from root hint files. But the server we
choose to AXFR the root from needs to be one that
specifically offers AXFR as a service, otherwise we
end up in situations like this. The f-root servers have
been allowing AXFR since before ICANN existed, but
never offered it as an explicit stated purpose or service.

ICANNS AXFR service [1] does specifically offer this service.

I've also configured my monitoring to watch the age
of /usr/local/etc/namedb/slave/root.slave and if it is
older than 24h then sound an alarm to avoid similar
situations in the future.


Best regards,

Thomas Steen Rasmussen

[1] http://www.dns.icann.org/services/axfr/index.html




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d8685cf9-4a42-6faf-5195-dd97d35b9c4a>