default named.conf in bind ports and slaving from f-root

Mathieu Arnold mat at FreeBSD.org
Fri Apr 14 14:51:20 UTC 2017 

Hi,

I'm busy right now, could you open a PR so that I don't loose and forget
this ?


Le 14/04/2017 à 14:37, Thomas Steen Rasmussen a écrit :
> Hello,
>
> Cloudflare deployed a bunch (74 apparently) of new f-root dns
> servers, which do not permit AXFR like the other f-root instances
> do.
>
> Since our bind ports default configs suggest slaving . and arpa
> from f-root this is a big problem in the cases where anycast
> routing makes your requests hit one of the new Cloudflare
> servers.
>
> The new f-root servers appeared around two weeks ago. The
> result for affected users is a nonfunctional name server when
> their copy of the root zone expire. See the thread in [1] for
> more info.
>
> A good alternative could be to change named.conf to use
> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
> described in [2]. My named.conf now looks like this:
>
> -----------------------------------------
>
> zone "." {
>         type slave;
>         file "/usr/local/etc/namedb/slave/root.slave";
>         masters {
>                 192.0.32.132;           // lax.xfr.dns.icann.org
>                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
>                 192.0.47.132;           // iad.xfr.dns.icann.org
>                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
>         };
>         notify no;
> };
> zone "arpa" {
>         type slave;
>         file "/usr/local/etc/namedb/slave/arpa.slave";
>         masters {
>                 192.0.32.132;           // lax.xfr.dns.icann.org
>                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
>                 192.0.47.132;           // iad.xfr.dns.icann.org
>                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
>         };
>         notify no;
> };
>
> -----------------------------------------
>
> Any thoughts before I open a PR?
>
> And what do we do about the number of running bind servers
> on freebsd machines out there that are currently slaving root
> from an f-root server? A simple routing change can render the
> servers useless.
>
>
> Best regards,
>
> Thomas Steen Rasmussen
>
>
> [1]
> https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html
>
> [2] http://www.dns.icann.org/services/axfr/
>
>
>



-- 
Mathieu Arnold

More information about the freebsd-ports mailing list