Re: default named.conf in bind ports and slaving from f-root
Hi Thomas, RFC7706 appendix B.1 is relevant here, https://tools.ietf.org/html/rfc7706#appendix-B.1 it strongly recommends relying on more than one provider just to avoid cases like this Strongly recommend that you add the all the other root servers (including F) to your patch along with the ICANN servers as that will allow Bind to try any available server for the zone transfer. Olafur ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: default named.conf in bind ports and slaving from f-root
On 04/16/17 05:30, Thomas Steen Rasmussen wrote: > On 04/16/2017 04:02 AM, George Mitchell wrote: >> On 04/14/17 08:37, Thomas Steen Rasmussen wrote: >>> Hello, >>> >>> Cloudflare deployed a bunch (74 apparently) of new f-root dns >>> servers, which do not permit AXFR like the other f-root instances >>> do. >>> [...] >>> A good alternative could be to change named.conf to use >>> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as >>> described in [2]. My named.conf now looks like this: >>> [...] >> Does this issue affect me if I use type "hint" for zone "." like this: >> >> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; >> >> -- George >> > Hello, > > Someone else already responded, but for the record: No, > it does not. Slaving the root zone is an alternative to using > the hints file. The advantage is that the data is always > uptodate. The disadvantage is stuff like this, obviously. > [...] Thank you, Kevin and Thomas, for confirming what I already suspected was the case. -- George signature.asc Description: OpenPGP digital signature
Re: default named.conf in bind ports and slaving from f-root
On 04/16/2017 04:02 AM, George Mitchell wrote: On 04/14/17 08:37, Thomas Steen Rasmussen wrote: Hello, Cloudflare deployed a bunch (74 apparently) of new f-root dns servers, which do not permit AXFR like the other f-root instances do. [...] A good alternative could be to change named.conf to use lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as described in [2]. My named.conf now looks like this: [...] Does this issue affect me if I use type "hint" for zone "." like this: zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; -- George Hello, Someone else already responded, but for the record: No, it does not. Slaving the root zone is an alternative to using the hints file. The advantage is that the data is always uptodate. The disadvantage is stuff like this, obviously. The reason many FreeBSD users have bind slaving . from f-root rather than using the hints file is that the default named.conf from ports strongly suggests doing so, although it is not actually the default. The root zone is not static, which is why we are trying to get away from root hint files. But the server we choose to AXFR the root from needs to be one that specifically offers AXFR as a service, otherwise we end up in situations like this. The f-root servers have been allowing AXFR since before ICANN existed, but never offered it as an explicit stated purpose or service. ICANNS AXFR service [1] does specifically offer this service. I've also configured my monitoring to watch the age of /usr/local/etc/namedb/slave/root.slave and if it is older than 24h then sound an alarm to avoid similar situations in the future. Best regards, Thomas Steen Rasmussen [1] http://www.dns.icann.org/services/axfr/index.html ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: default named.conf in bind ports and slaving from f-root
On Sat, Apr 15, 2017 at 7:02 PM, George Mitchellwrote: > On 04/14/17 08:37, Thomas Steen Rasmussen wrote: > > Hello, > > > > Cloudflare deployed a bunch (74 apparently) of new f-root dns > > servers, which do not permit AXFR like the other f-root instances > > do. > > [...] > > A good alternative could be to change named.conf to use > > lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as > > described in [2]. My named.conf now looks like this: > > [...] > > Does this issue affect me if I use type "hint" for zone "." like this: > > zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; > > -- George > It does not have anything to do with "normal" operations using a hints file. This only has an impact on those who transfer zones from a root server. Many of the root servers do not allow AXFRs to reduce load. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: default named.conf in bind ports and slaving from f-root
On 04/14/17 08:37, Thomas Steen Rasmussen wrote: > Hello, > > Cloudflare deployed a bunch (74 apparently) of new f-root dns > servers, which do not permit AXFR like the other f-root instances > do. > [...] > A good alternative could be to change named.conf to use > lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as > described in [2]. My named.conf now looks like this: > [...] Does this issue affect me if I use type "hint" for zone "." like this: zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; -- George signature.asc Description: OpenPGP digital signature
Re: default named.conf in bind ports and slaving from f-root
On Fri, Apr 14, 2017 at 05:25:21PM +0200, Thomas Steen Rasmussen wrote: > On 04/14/2017 04:51 PM, Mathieu Arnold wrote: > > Hi, > > > > I'm busy right now, could you open a PR so that I don't loose and forget > > this ? > > Sure thing, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218656 > > /Thomas > Thomas, I am really glad you posted this to the mailing list. This morning I woke up to a non-functioning named as it could no longer transfer data from 192.5.5.241 and my arpa/IN/internal-view expired at about midnight last night. I suppose I should have noticed the transfer failure messages in my /var/log/messages file over the past two weeks, but I didn't (or it didn't occur to me how serious they were). I was left with NO outside nameserver resolution at all. Looks like I need to find a reliable backup nameserver that I can use should something like the happen again. Anyway, luckly my mail server had already received you message to freebsd-ports describing the issue and what you did to correct it. I followed your example and got my nameserver back to the working state. Thank you!! Bob -- Bob Willcox| You're dead, Jim. b...@immure.com | -- McCoy, "The Tholian Web", stardate unknown Austin, TX | ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: default named.conf in bind ports and slaving from f-root
On 04/14/2017 04:51 PM, Mathieu Arnold wrote: Hi, I'm busy right now, could you open a PR so that I don't loose and forget this ? Sure thing, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218656 /Thomas ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: default named.conf in bind ports and slaving from f-root
Hi, I'm busy right now, could you open a PR so that I don't loose and forget this ? Le 14/04/2017 à 14:37, Thomas Steen Rasmussen a écrit : > Hello, > > Cloudflare deployed a bunch (74 apparently) of new f-root dns > servers, which do not permit AXFR like the other f-root instances > do. > > Since our bind ports default configs suggest slaving . and arpa > from f-root this is a big problem in the cases where anycast > routing makes your requests hit one of the new Cloudflare > servers. > > The new f-root servers appeared around two weeks ago. The > result for affected users is a nonfunctional name server when > their copy of the root zone expire. See the thread in [1] for > more info. > > A good alternative could be to change named.conf to use > lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as > described in [2]. My named.conf now looks like this: > > - > > zone "." { > type slave; > file "/usr/local/etc/namedb/slave/root.slave"; > masters { > 192.0.32.132; // lax.xfr.dns.icann.org > 2620:0:2d0:202::132;// lax.xfr.dns.icann.org > 192.0.47.132; // iad.xfr.dns.icann.org > 2620:0:2830:202::132; // iad.xfr.dns.icann.org > }; > notify no; > }; > zone "arpa" { > type slave; > file "/usr/local/etc/namedb/slave/arpa.slave"; > masters { > 192.0.32.132; // lax.xfr.dns.icann.org > 2620:0:2d0:202::132;// lax.xfr.dns.icann.org > 192.0.47.132; // iad.xfr.dns.icann.org > 2620:0:2830:202::132; // iad.xfr.dns.icann.org > }; > notify no; > }; > > - > > Any thoughts before I open a PR? > > And what do we do about the number of running bind servers > on freebsd machines out there that are currently slaving root > from an f-root server? A simple routing change can render the > servers useless. > > > Best regards, > > Thomas Steen Rasmussen > > > [1] > https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html > > [2] http://www.dns.icann.org/services/axfr/ > > > -- Mathieu Arnold ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
default named.conf in bind ports and slaving from f-root
Hello, Cloudflare deployed a bunch (74 apparently) of new f-root dns servers, which do not permit AXFR like the other f-root instances do. Since our bind ports default configs suggest slaving . and arpa from f-root this is a big problem in the cases where anycast routing makes your requests hit one of the new Cloudflare servers. The new f-root servers appeared around two weeks ago. The result for affected users is a nonfunctional name server when their copy of the root zone expire. See the thread in [1] for more info. A good alternative could be to change named.conf to use lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as described in [2]. My named.conf now looks like this: - zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132;// lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "arpa" { type slave; file "/usr/local/etc/namedb/slave/arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132;// lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; - Any thoughts before I open a PR? And what do we do about the number of running bind servers on freebsd machines out there that are currently slaving root from an f-root server? A simple routing change can render the servers useless. Best regards, Thomas Steen Rasmussen [1] https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html [2] http://www.dns.icann.org/services/axfr/ ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"