Re: default named.conf in bind ports and slaving from f-root

2017-04-17 Thread Olafur Gudmundsson 

Hi Thomas, 

RFC7706  appendix B.1 is relevant here, 
https://tools.ietf.org/html/rfc7706#appendix-B.1
it strongly recommends relying on more than one provider just to avoid cases 
like this 
Strongly recommend that you add the all the other root servers (including F) to 
your patch along with the ICANN servers as that will allow 
Bind to try any available server for the zone transfer. 

Olafur



___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: default named.conf in bind ports and slaving from f-root

2017-04-16 Thread George Mitchell 
On 04/16/17 05:30, Thomas Steen Rasmussen wrote:
> On 04/16/2017 04:02 AM, George Mitchell wrote:
>> On 04/14/17 08:37, Thomas Steen Rasmussen wrote:
>>> Hello,
>>>
>>> Cloudflare deployed a bunch (74 apparently) of new f-root dns
>>> servers, which do not permit AXFR like the other f-root instances
>>> do.
>>> [...]
>>> A good alternative could be to change named.conf to use
>>> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
>>> described in [2]. My named.conf now looks like this:
>>> [...]
>> Does this issue affect me if I use type "hint" for zone "." like this:
>>
>> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
>>
>> -- George
>>
> Hello,
> 
> Someone else already responded, but for the record: No,
> it does not. Slaving the root zone is an alternative to using
> the hints file. The advantage is that the data is always
> uptodate. The disadvantage is stuff like this, obviously.
> [...]

Thank you, Kevin and Thomas, for confirming what I already
suspected was the case.  -- George




signature.asc
Description: OpenPGP digital signature

Re: default named.conf in bind ports and slaving from f-root

2017-04-16 Thread Thomas Steen Rasmussen 

On 04/16/2017 04:02 AM, George Mitchell wrote:

On 04/14/17 08:37, Thomas Steen Rasmussen wrote:

Hello,

Cloudflare deployed a bunch (74 apparently) of new f-root dns
servers, which do not permit AXFR like the other f-root instances
do.
[...]
A good alternative could be to change named.conf to use
lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
described in [2]. My named.conf now looks like this:
[...]

Does this issue affect me if I use type "hint" for zone "." like this:

zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

-- George


Hello,

Someone else already responded, but for the record: No,
it does not. Slaving the root zone is an alternative to using
the hints file. The advantage is that the data is always
uptodate. The disadvantage is stuff like this, obviously.

The reason many FreeBSD users have bind slaving . from
f-root rather than using the hints file is that the default
named.conf from ports strongly suggests doing so,
although it is not actually the default.

The root zone is not static, which is why we are trying
to get away from root hint files. But the server we
choose to AXFR the root from needs to be one that
specifically offers AXFR as a service, otherwise we
end up in situations like this. The f-root servers have
been allowing AXFR since before ICANN existed, but
never offered it as an explicit stated purpose or service.

ICANNS AXFR service [1] does specifically offer this service.

I've also configured my monitoring to watch the age
of /usr/local/etc/namedb/slave/root.slave and if it is
older than 24h then sound an alarm to avoid similar
situations in the future.


Best regards,

Thomas Steen Rasmussen

[1] http://www.dns.icann.org/services/axfr/index.html

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: default named.conf in bind ports and slaving from f-root

2017-04-15 Thread Kevin Oberman 
On Sat, Apr 15, 2017 at 7:02 PM, George Mitchell 
wrote:

> On 04/14/17 08:37, Thomas Steen Rasmussen wrote:
> > Hello,
> >
> > Cloudflare deployed a bunch (74 apparently) of new f-root dns
> > servers, which do not permit AXFR like the other f-root instances
> > do.
> > [...]
> > A good alternative could be to change named.conf to use
> > lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
> > described in [2]. My named.conf now looks like this:
> > [...]
>
> Does this issue affect me if I use type "hint" for zone "." like this:
>
> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
>
> -- George
>

It does not have anything to do with "normal" operations using a hints
file. This only has an impact on those who transfer zones from a root
server. Many of the root servers do not allow AXFRs to reduce load.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: default named.conf in bind ports and slaving from f-root

2017-04-15 Thread George Mitchell 
On 04/14/17 08:37, Thomas Steen Rasmussen wrote:
> Hello,
> 
> Cloudflare deployed a bunch (74 apparently) of new f-root dns
> servers, which do not permit AXFR like the other f-root instances
> do.
> [...]
> A good alternative could be to change named.conf to use
> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
> described in [2]. My named.conf now looks like this:
> [...]

Does this issue affect me if I use type "hint" for zone "." like this:

zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

-- George



signature.asc
Description: OpenPGP digital signature

Re: default named.conf in bind ports and slaving from f-root

2017-04-15 Thread Bob Willcox 
On Fri, Apr 14, 2017 at 05:25:21PM +0200, Thomas Steen Rasmussen wrote:
> On 04/14/2017 04:51 PM, Mathieu Arnold wrote:
> > Hi,
> >
> > I'm busy right now, could you open a PR so that I don't loose and forget
> > this ?
> 
> Sure thing, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218656
> 
> /Thomas
> 

Thomas,

I am really glad you posted this to the mailing list. This morning I woke up
to a non-functioning named as it could no longer transfer data from
192.5.5.241 and my arpa/IN/internal-view expired at about midnight last night.
I suppose I should have noticed the transfer failure messages in my
/var/log/messages file over the past two weeks, but I didn't (or it didn't
occur to me how serious they were).

I was left with NO outside nameserver resolution at all. Looks like I need to
find a reliable backup nameserver that I can use should something like the
happen again.

Anyway, luckly my mail server had already received you message to
freebsd-ports describing the issue and what you did to correct it. I followed
your example and got my nameserver back to the working state.

Thank you!!
Bob


-- 
Bob Willcox| You're dead, Jim.
b...@immure.com |   -- McCoy, "The Tholian Web", stardate unknown
Austin, TX |
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: default named.conf in bind ports and slaving from f-root

2017-04-14 Thread Thomas Steen Rasmussen 

On 04/14/2017 04:51 PM, Mathieu Arnold wrote:

Hi,

I'm busy right now, could you open a PR so that I don't loose and forget
this ?


Sure thing, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218656

/Thomas

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: default named.conf in bind ports and slaving from f-root

2017-04-14 Thread Mathieu Arnold 
Hi,

I'm busy right now, could you open a PR so that I don't loose and forget
this ?


Le 14/04/2017 à 14:37, Thomas Steen Rasmussen a écrit :
> Hello,
>
> Cloudflare deployed a bunch (74 apparently) of new f-root dns
> servers, which do not permit AXFR like the other f-root instances
> do.
>
> Since our bind ports default configs suggest slaving . and arpa
> from f-root this is a big problem in the cases where anycast
> routing makes your requests hit one of the new Cloudflare
> servers.
>
> The new f-root servers appeared around two weeks ago. The
> result for affected users is a nonfunctional name server when
> their copy of the root zone expire. See the thread in [1] for
> more info.
>
> A good alternative could be to change named.conf to use
> lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
> described in [2]. My named.conf now looks like this:
>
> -
>
> zone "." {
> type slave;
> file "/usr/local/etc/namedb/slave/root.slave";
> masters {
> 192.0.32.132;   // lax.xfr.dns.icann.org
> 2620:0:2d0:202::132;// lax.xfr.dns.icann.org
> 192.0.47.132;   // iad.xfr.dns.icann.org
> 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
> };
> notify no;
> };
> zone "arpa" {
> type slave;
> file "/usr/local/etc/namedb/slave/arpa.slave";
> masters {
> 192.0.32.132;   // lax.xfr.dns.icann.org
> 2620:0:2d0:202::132;// lax.xfr.dns.icann.org
> 192.0.47.132;   // iad.xfr.dns.icann.org
> 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
> };
> notify no;
> };
>
> -
>
> Any thoughts before I open a PR?
>
> And what do we do about the number of running bind servers
> on freebsd machines out there that are currently slaving root
> from an f-root server? A simple routing change can render the
> servers useless.
>
>
> Best regards,
>
> Thomas Steen Rasmussen
>
>
> [1]
> https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html
>
> [2] http://www.dns.icann.org/services/axfr/
>
>
>



-- 
Mathieu Arnold

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

default named.conf in bind ports and slaving from f-root

2017-04-14 Thread Thomas Steen Rasmussen 

Hello,

Cloudflare deployed a bunch (74 apparently) of new f-root dns
servers, which do not permit AXFR like the other f-root instances
do.

Since our bind ports default configs suggest slaving . and arpa
from f-root this is a big problem in the cases where anycast
routing makes your requests hit one of the new Cloudflare
servers.

The new f-root servers appeared around two weeks ago. The
result for affected users is a nonfunctional name server when
their copy of the root zone expire. See the thread in [1] for
more info.

A good alternative could be to change named.conf to use
lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as
described in [2]. My named.conf now looks like this:

-

zone "." {
type slave;
file "/usr/local/etc/namedb/slave/root.slave";
masters {
192.0.32.132;   // lax.xfr.dns.icann.org
2620:0:2d0:202::132;// lax.xfr.dns.icann.org
192.0.47.132;   // iad.xfr.dns.icann.org
2620:0:2830:202::132;   // iad.xfr.dns.icann.org
};
notify no;
};
zone "arpa" {
type slave;
file "/usr/local/etc/namedb/slave/arpa.slave";
masters {
192.0.32.132;   // lax.xfr.dns.icann.org
2620:0:2d0:202::132;// lax.xfr.dns.icann.org
192.0.47.132;   // iad.xfr.dns.icann.org
2620:0:2830:202::132;   // iad.xfr.dns.icann.org
};
notify no;
};

-

Any thoughts before I open a PR?

And what do we do about the number of running bind servers
on freebsd machines out there that are currently slaving root
from an f-root server? A simple routing change can render the
servers useless.


Best regards,

Thomas Steen Rasmussen


[1] 
https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html


[2] http://www.dns.icann.org/services/axfr/


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"