Copying info from https://lists.freebsd.org/pipermail/freebsd-ports/2017-April/108144.html here: Hello, Cloudflare deployed a bunch (74 apparently) of new f-root dns servers, which do not permit AXFR like the other f-root instances do. Since our bind ports default configs suggest slaving . and arpa from f-root this is a big problem in the cases where anycast routing makes your requests hit one of the new Cloudflare servers. The new f-root servers appeared around two weeks ago. The result for affected users is a nonfunctional name server when their copy of the root zone expire. See the thread in [1] for more info. A good alternative could be to change named.conf to use lax.xfr.dns.icann.org and iad.xfr.dns.icann.org as described in [2]. My named.conf now looks like this: ----------------------------------------- zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "arpa" { type slave; file "/usr/local/etc/namedb/slave/arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; ----------------------------------------- And what do we do about the number of running bind servers on freebsd machines out there that are currently slaving root from an f-root server? A simple routing change can render the servers useless. Best regards, Thomas Steen Rasmussen [1] https://lists.dns-oarc.net/pipermail/dns-operations/2017-April/016171.html [2] http://www.dns.icann.org/services/axfr/
I wonder if it would not be better to just remove the commented out example telling you to slave those zones.
A commit references this bug: Author: mat Date: Thu Apr 20 13:12:37 UTC 2017 New revision: 438945 URL: https://svnweb.freebsd.org/changeset/ports/438945 Log: Update to 9.9.10, 9.10.5, 9.11.1 and 9.12 to latest snapshot. While there: Make it more maintainable by sorting stuff in the Makefile and removing vestigial pre 10.3 things. Refresh the root zone hints. "Fix" the configuration section telling you to get some top level zones from f.root-servers.net, which does not allow axfr any more. [1] PR: 218656 [1] Reported by: Thomas Steen Rasmussen / Tykling [1] MFH: 2017Q2 Sponsored by: Absolight Changes: head/dns/bind-tools/Makefile head/dns/bind9-devel/Makefile head/dns/bind9-devel/distinfo head/dns/bind9-devel/files/extrapatch-bind-min-override-ttl head/dns/bind9-devel/files/named.conf.in head/dns/bind9-devel/files/named.root head/dns/bind910/Makefile head/dns/bind910/distinfo head/dns/bind910/files/extrapatch-bind-min-override-ttl head/dns/bind910/files/named.conf.in head/dns/bind910/files/named.root head/dns/bind910/files/patch-bin_tests_system_dlzexternal_Makefile.in head/dns/bind910/files/patch-configure head/dns/bind910/pkg-help head/dns/bind910/pkg-plist head/dns/bind911/Makefile head/dns/bind911/distinfo head/dns/bind911/files/extrapatch-bind-min-override-ttl head/dns/bind911/files/named.conf.in head/dns/bind911/files/named.root head/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in head/dns/bind911/files/patch-configure head/dns/bind911/pkg-help head/dns/bind99/Makefile head/dns/bind99/distinfo head/dns/bind99/files/extrapatch-bind-min-override-ttl head/dns/bind99/files/named.conf.in head/dns/bind99/files/named.root head/dns/bind99/files/patch-configure head/dns/bind99/pkg-help head/dns/bind99/pkg-plist
A commit references this bug: Author: mat Date: Thu Apr 20 13:15:00 UTC 2017 New revision: 438947 URL: https://svnweb.freebsd.org/changeset/ports/438947 Log: MFH: r438945 Update to 9.9.10, 9.10.5, 9.11.1 and 9.12 to latest snapshot. While there: Make it more maintainable by sorting stuff in the Makefile and removing vestigial pre 10.3 things. Refresh the root zone hints. "Fix" the configuration section telling you to get some top level zones from f.root-servers.net, which does not allow axfr any more. [1] PR: 218656 [1] Reported by: Thomas Steen Rasmussen / Tykling [1] Sponsored by: Absolight Changes: _U branches/2017Q2/ branches/2017Q2/dns/bind-tools/Makefile branches/2017Q2/dns/bind9-devel/Makefile branches/2017Q2/dns/bind9-devel/distinfo branches/2017Q2/dns/bind9-devel/files/extrapatch-bind-min-override-ttl branches/2017Q2/dns/bind9-devel/files/named.conf.in branches/2017Q2/dns/bind9-devel/files/named.root branches/2017Q2/dns/bind910/Makefile branches/2017Q2/dns/bind910/distinfo branches/2017Q2/dns/bind910/files/extrapatch-bind-min-override-ttl branches/2017Q2/dns/bind910/files/named.conf.in branches/2017Q2/dns/bind910/files/named.root branches/2017Q2/dns/bind910/files/patch-bin_tests_system_dlzexternal_Makefile.in branches/2017Q2/dns/bind910/files/patch-configure branches/2017Q2/dns/bind910/pkg-help branches/2017Q2/dns/bind910/pkg-plist branches/2017Q2/dns/bind911/Makefile branches/2017Q2/dns/bind911/distinfo branches/2017Q2/dns/bind911/files/extrapatch-bind-min-override-ttl branches/2017Q2/dns/bind911/files/named.conf.in branches/2017Q2/dns/bind911/files/named.root branches/2017Q2/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in branches/2017Q2/dns/bind911/files/patch-configure branches/2017Q2/dns/bind911/pkg-help branches/2017Q2/dns/bind99/Makefile branches/2017Q2/dns/bind99/distinfo branches/2017Q2/dns/bind99/files/extrapatch-bind-min-override-ttl branches/2017Q2/dns/bind99/files/named.conf.in branches/2017Q2/dns/bind99/files/named.root branches/2017Q2/dns/bind99/files/patch-configure branches/2017Q2/dns/bind99/pkg-help branches/2017Q2/dns/bind99/pkg-plist