From nobody@FreeBSD.org  Thu Oct 25 17:04:58 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B21E996D
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Oct 2012 17:04:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 992D28FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Oct 2012 17:04:58 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9PH4wIL058268
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Oct 2012 17:04:58 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q9PH4wn2058247;
	Thu, 25 Oct 2012 17:04:58 GMT
	(envelope-from nobody)
Message-Id: <201210251704.q9PH4wn2058247@red.freebsd.org>
Date: Thu, 25 Oct 2012 17:04:58 GMT
From: Damien Fleuriot <dam@my.gd>
To: freebsd-gnats-submit@FreeBSD.org
Subject: BIND slaves root and arpa zones on wrong servers
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         173077
>Category:       conf
>Synopsis:       BIND slaves root and arpa zones on wrong servers
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 25 17:10:00 UTC 2012
>Closed-Date:    
>Last-Modified:  Tue May  7 19:10:00 UTC 2013
>Originator:     Damien Fleuriot
>Release:        10.0-CURRENT
>Organization:
hi-media
>Environment:
FreeBSD nas.my.gd 10.0-CURRENT FreeBSD 10.0-CURRENT #3 r239974: Sat Sep  1 18:10:16 UTC 2012     root@nas.my.gd:/usr/obj/data/freebsd/src/head/sys/DAM  amd64
>Description:
From /etc/namedb/named.conf , when using the Slaving mechanism for the root and arpa zones, BIND slaves from F.ROOT-SERVERS.NET.

The commentary lines however recommend using ICANN's XFR servers at:
xfr.lax.dns.icann.org.
xfr.cjr.dns.icann.org.


Is using F an oversight ?

We've had problems at work when our /etc/namedb/slave/root.slave and arpa.slave zones expired after the F root server denied AXFRs from our IPs for over a week.

Moving to ICANN's XFR servers solves our problem.

>How-To-Repeat:

>Fix:
Patch attached to use ICANN's XFR servers instead of F.ROOT-SERVERS.NET

Patch attached with submission follows:

--- named.conf	2012-09-01 11:43:31.689334254 +0000
+++ named.conf.fixed	2012-10-25 18:53:00.175330638 +0000
@@ -102,7 +102,8 @@
 	type slave;
 	file "/etc/namedb/slave/root.slave";
 	masters {
-		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.0.32.140;	// xfr.lax.dns.icann.org.
+		192.0.47.140;	// xfr.cjr.dns.icann.org.
 	};
 	notify no;
 };
@@ -110,7 +111,8 @@
 	type slave;
 	file "/etc/namedb/slave/arpa.slave";
 	masters {
-		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.0.32.140;	// xfr.lax.dns.icann.org.
+		192.0.47.140;	// xfr.cjr.dns.icann.org.
 	};
 	notify no;
 };


>Release-Note:
>Audit-Trail:

From: Borja Marcos <borjam@sarenet.es>
To: bug-followup@FreeBSD.org,
 dam@my.gd
Cc:  
Subject: Re: conf/173077: BIND slaves root and arpa zones on wrong servers
Date: Tue, 7 May 2013 11:10:10 +0200

 I wouldn't advise to use this unless  it's really closely monitored.
 
 The zone statement in bind's configuration file needs IP addresses, not =
 names, to specify master servers. So, if the IP addresses change the =
 configuration can be useless.
 
 Actually this happened on April 30th 2013.  The listed IP addresses are =
 obsolete.
 
 xfr.lax.dns.icann.org was 192.0.32.140, now it is 192.0.32.132
 xfr.cjr.dns.icann.org was 192.0.47.140, now it is 192.0.47.132
 
 I haven't seen any notice.
 
 

From: Damien Fleuriot <dam@my.gd>
To: Borja Marcos <borjam@sarenet.es>
Cc: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Subject: Re: conf/173077: BIND slaves root and arpa zones on wrong servers
Date: Tue, 7 May 2013 21:06:24 +0200

 On 7 May 2013, at 11:10, Borja Marcos <borjam@sarenet.es> wrote:
 
 > I wouldn't advise to use this unless  it's really closely monitored.
 >=20
 > The zone statement in bind's configuration file needs IP addresses, not na=
 mes, to specify master servers. So, if the IP addresses change the configura=
 tion can be useless.
 >=20
 > Actually this happened on April 30th 2013.  The listed IP addresses are ob=
 solete.
 >=20
 > xfr.lax.dns.icann.org was 192.0.32.140, now it is 192.0.32.132
 > xfr.cjr.dns.icann.org was 192.0.47.140, now it is 192.0.47.132
 >=20
 > I haven't seen any notice.
 >=20
 
 Neither have I, and it caused us trouble just today when our caches expired.=
>Unformatted:
