default named.conf in bind ports and slaving from f-root
Thomas Steen Rasmussen
thomas at gibfest.dk
Fri Apr 14 12:37:49 UTC 2017
Hello,
Cloudflare deployed a bunch (74 apparently) of new f-root dns
servers, which do not permit AXFR like the other f-root instances
do.
Since our bind ports default configs suggest slaving . and arpa
from f-root this is a big problem in the cases where anycast
routing makes your requests hit one of the new Cloudflare
servers.
The new f-root servers appeared around two weeks ago. The
result for affected users is a nonfunctional name server when
their copy of the root zone expire. See the thread in [1] for
more info.
A good alternative could be to change named.conf to use
lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
described in [2]. My named.conf now looks like this:
-----------------------------------------
zone "." {
type slave;
file "/usr/local/etc/namedb/slave/root.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
zone "arpa" {
type slave;
file "/usr/local/etc/namedb/slave/arpa.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
-----------------------------------------
Any thoughts before I open a PR?
And what do we do about the number of running bind servers
on freebsd machines out there that are currently slaving root
from an f-root server? A simple routing change can render the
servers useless.
Best regards,
Thomas Steen Rasmussen
[1]
https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html
[2] http://www.dns.icann.org/services/axfr/
More information about the freebsd-ports
mailing list