Date: Fri, 14 Apr 2017 15:24:32 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 218656] dns/bind911 dns/bind910 dns/bind99 default named.conf suggests slaving from f-root Message-ID: <bug-218656-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218656 Bug ID: 218656 Summary: dns/bind911 dns/bind910 dns/bind99 default named.conf suggests slaving from f-root Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: mat@FreeBSD.org Reporter: thomas@gibfest.dk Assignee: mat@FreeBSD.org Flags: maintainer-feedback?(mat@FreeBSD.org) Copying info from https://lists.freebsd.org/pipermail/freebsd-ports/2017-April/108144.html he= re: Hello, Cloudflare deployed a bunch (74 apparently) of new f-root dns servers, which do not permit AXFR like the other f-root instances do. Since our bind ports default configs suggest slaving . and arpa from f-root this is a big problem in the cases where anycast routing makes your requests hit one of the new Cloudflare servers. The new f-root servers appeared around two weeks ago. The result for affected users is a nonfunctional name server when their copy of the root zone expire. See the thread in [1] for more info. A good alternative could be to change named.conf to use lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as described in [2]. My named.conf now looks like this: ----------------------------------------- zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "arpa" { type slave; file "/usr/local/etc/namedb/slave/arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; ----------------------------------------- And what do we do about the number of running bind servers on freebsd machines out there that are currently slaving root from an f-root server? A simple routing change can render the servers useless. Best regards, Thomas Steen Rasmussen [1] https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.h= tml [2] http://www.dns.icann.org/services/axfr/ --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218656-13>