Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Apr 2017 14:37:44 +0200
From:      Thomas Steen Rasmussen <thomas@gibfest.dk>
To:        ports@freebsd.org
Cc:        mat@freebsd.org
Subject:   default named.conf in bind ports and slaving from f-root
Message-ID:  <85573e9f-c0e7-1e30-6f95-2fec13e0ac26@gibfest.dk>
next in thread | raw e-mail | index | archive | help 
Hello,

Cloudflare deployed a bunch (74 apparently) of new f-root dns
servers, which do not permit AXFR like the other f-root instances
do.

Since our bind ports default configs suggest slaving . and arpa
from f-root this is a big problem in the cases where anycast
routing makes your requests hit one of the new Cloudflare
servers.

The new f-root servers appeared around two weeks ago. The
result for affected users is a nonfunctional name server when
their copy of the root zone expire. See the thread in [1] for
more info.

A good alternative could be to change named.conf to use
lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
described in [2]. My named.conf now looks like this:

-----------------------------------------

zone "." {
         type slave;
         file "/usr/local/etc/namedb/slave/root.slave";
         masters {
                 192.0.32.132;           // lax.xfr.dns.icann.org
                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
                 192.0.47.132;           // iad.xfr.dns.icann.org
                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
         };
         notify no;
};
zone "arpa" {
         type slave;
         file "/usr/local/etc/namedb/slave/arpa.slave";
         masters {
                 192.0.32.132;           // lax.xfr.dns.icann.org
                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
                 192.0.47.132;           // iad.xfr.dns.icann.org
                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
         };
         notify no;
};

-----------------------------------------

Any thoughts before I open a PR?

And what do we do about the number of running bind servers
on freebsd machines out there that are currently slaving root
from an f-root server? A simple routing change can render the
servers useless.


Best regards,

Thomas Steen Rasmussen


[1] 
https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html

[2] http://www.dns.icann.org/services/axfr/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85573e9f-c0e7-1e30-6f95-2fec13e0ac26>