From owner-freebsd-ports@freebsd.org  Sun Apr 16 09:30:10 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F235ED40E7B
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Sun, 16 Apr 2017 09:30:10 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id D94B01F19
 for <freebsd-ports@freebsd.org>; Sun, 16 Apr 2017 09:30:10 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: by mailman.ysv.freebsd.org (Postfix)
 id D5C03D40E7A; Sun, 16 Apr 2017 09:30:10 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D55C5D40E79
 for <ports@mailman.ysv.freebsd.org>; Sun, 16 Apr 2017 09:30:10 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from mail.tyknet.dk (mail.tyknet.dk
 [IPv6:2a01:4f8:201:2327:144:76:253:226])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9D6801F18;
 Sun, 16 Apr 2017 09:30:10 +0000 (UTC)
 (envelope-from thomas@gibfest.dk)
Received: from [10.137.5.12] (nat2.hq.bornfiber.dk [185.96.91.2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.tyknet.dk (Postfix) with ESMTPSA id D94C8A4F5B9;
 Sun, 16 Apr 2017 09:30:07 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk D94C8A4F5B9
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default;
 t=1492335008; bh=UyJrgdPWmU00cHKiDaln0u7ww0UglALAkiWxVXCCdpE=;
 h=Subject:To:References:Cc:From:Date:In-Reply-To;
 b=HHi/wqKbudA9w+Cw7c3L8xSuId686cpGCI35ao/7q2QjTyif/+n2HdLSD3KQlGL7d
 5v7jXdM3NslWT5W/qvBlbHf892zpZNo+U46ATZlajILW819sQqmFM8zf/r6UYDs3KJ
 G+1xxbnr8c+FUB+5VpXy1IRS4I+d6Ad86vfr+b4zUWU5bqIGoRV1C9sE9RcCdqdPQ+
 BTVH8rbhPhncKo94KLa9xB/4CB04l5YrPmma+fSyQowpIE8ysFwEDRqexALTBXTyCK
 yBQkcUGaVEXci6AV2u3BL3vW271JGer/iYqv9jjOAX+v1477vSTeMtHf0wsPPU7OJ2
 pyNaqjP3Z5fTA==
Subject: Re: default named.conf in bind ports and slaving from f-root
To: George Mitchell <george+freebsd@m5p.com>, ports@freebsd.org
References: <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk>
 <db0f672e-d457-0e9b-cdb7-40576db8aaac@m5p.com>
Cc: mat@freebsd.org
From: Thomas Steen Rasmussen <thomas@gibfest.dk>
Message-ID: <d8685cf9-4a42-6faf-5195-dd97d35b9c4a@gibfest.dk>
Date: Sun, 16 Apr 2017 11:30:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Icedove/45.6.0
MIME-Version: 1.0
In-Reply-To: <db0f672e-d457-0e9b-cdb7-40576db8aaac@m5p.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Apr 2017 09:30:11 -0000

On 04/16/2017 04:02 AM, George Mitchell wrote:
> On 04/14/17 08:37, Thomas Steen Rasmussen wrote:
>> Hello,
>>
>> Cloudflare deployed a bunch (74 apparently) of new f-root dns
>> servers, which do not permit AXFR like the other f-root instances
>> do.
>> [...]
>> A good alternative could be to change named.conf to use
>> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
>> described in [2]. My named.conf now looks like this:
>> [...]
> Does this issue affect me if I use type "hint" for zone "." like this:
>
> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
>
> -- George
>
Hello,

Someone else already responded, but for the record: No,
it does not. Slaving the root zone is an alternative to using
the hints file. The advantage is that the data is always
uptodate. The disadvantage is stuff like this, obviously.

The reason many FreeBSD users have bind slaving . from
f-root rather than using the hints file is that the default
named.conf from ports strongly suggests doing so,
although it is not actually the default.

The root zone is not static, which is why we are trying
to get away from root hint files. But the server we
choose to AXFR the root from needs to be one that
specifically offers AXFR as a service, otherwise we
end up in situations like this. The f-root servers have
been allowing AXFR since before ICANN existed, but
never offered it as an explicit stated purpose or service.

ICANNS AXFR service [1] does specifically offer this service.

I've also configured my monitoring to watch the age
of /usr/local/etc/namedb/slave/root.slave and if it is
older than 24h then sound an alarm to avoid similar
situations in the future.


Best regards,

Thomas Steen Rasmussen

[1] http://www.dns.icann.org/services/axfr/index.html