dns/bind911: restore port

It is still in extended security mode, see
https://www.isc.org/blogs/bind-update-summer2021/

Reported by:	yasu

MOVED

@@ -16704,7 +16704,6 @@ java/intellij-rubymine|devel/rubymine|2021-12-31|Use better name and category
 lang/python36||2021-12-31|Has expired: Upgrade to a newer Python version. 3.6 is in maintenance status and gets security fixes only. End-of-Life: 2021-12-23. See https://devguide.python.org/
 devel/sdl_sge||2021-12-31|Has expired: Upstream no longer maintained
 net/appkonference||2021-12-31|Has expired: Outdated, depends on unsupported version of net/asterisk
-dns/bind911|dns/bind916|2021-12-31|Has expired: End of life, please migrate to a newer version of BIND9
 net/zebra||2021-12-31|Has expired: Abandoned upstream, last release in 2005. Consider migrating to net/frr7 or net/bird2
 audio/osalp||2021-12-31|Has expired: Abandoned upstream, listed as beta and no new release since 2008
 games/stransball2||2021-12-31|Has expired: Depends on expired devel/sdl_sge

dns/Makefile

@@ -7,6 +7,7 @@
     SUBDIR += axfr2acl
     SUBDIR += bind-tools
     SUBDIR += bind9-devel
+    SUBDIR += bind911
     SUBDIR += bind916
     SUBDIR += bindgraph
     SUBDIR += blocky

dns/bind911/Makefile

+# pkg-help formatted with fmt 59 63
+
+PORTNAME=	bind
+PORTVERSION=	${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
+PORTREVISION=	0
+CATEGORIES=	dns net
+MASTER_SITES=	ISC/bind9/${ISCVERSION}
+PKGNAMESUFFIX=	911
+DISTNAME=	${PORTNAME}-${ISCVERSION}
+
+MAINTAINER=	mat@FreeBSD.org
+COMMENT=	BIND DNS suite with updated DNSSEC and DNS64
+
+LICENSE=	MPL20
+LICENSE_FILE=	${WRKSRC}/COPYRIGHT
+
+DEPRECATED=	End of life, please migrate to a newer version of BIND9
+EXPIRATION_DATE=	2021-12-31
+
+LIB_DEPENDS=	libxml2.so:textproc/libxml2
+RUN_DEPENDS=	bind-tools>0:dns/bind-tools
+
+USES=	cpe libedit pkgconfig
+
+# ISC releases things like 9.8.0-P1, which our versioning doesn't like
+ISCVERSION=	9.11.36
+
+CPE_VENDOR=	isc
+CPE_VERSION=	${ISCVERSION:C/-.*//}
+.if ${ISCVERSION:M*-*}
+CPE_UPDATE=	${ISCVERSION:C/.*-//:tl}
+.endif
+
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
+		--with-randomdev=/dev/random \
+		--with-libxml2=${LOCALBASE} \
+		--with-readline="-L${LOCALBASE}/lib -ledit" \
+		--with-dlopen=yes \
+		--with-gost=no \
+		--without-python \
+		--sysconfdir=${ETCDIR}
+ETCDIR=		${PREFIX}/etc/namedb
+
+CONFLICTS=	bind912 bind913 bind914 bind916 bind9-devel
+
+SUB_FILES=	pkg-message named.conf
+USE_RC_SUBR=	named
+
+MAKE_JOBS_UNSAFE=	yes
+
+PORTDOCS=	*
+
+OPTIONS_DEFAULT=	SSL THREADS SIGCHASE IDN GSSAPI_NONE JSON \
+			DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN \
+			FILTER_AAAA DNSTAP
+OPTIONS_DEFINE=		ACCFDNS IDN LARGE_FILE JSON GEOIP \
+			FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA \
+			RPZ_NSIP RPZ_NSDNAME DOCS \
+			MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \
+			START_LATE TUNING_LARGE TCP_FASTOPEN
+
+OPTIONS_RADIO=	CRYPTO
+OPTIONS_RADIO_CRYPTO=	SSL NATIVE_PKCS11
+
+OPTIONS_GROUP=		DLZ
+OPTIONS_GROUP_DLZ=	DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
+			DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
+OPTIONS_SINGLE=		GSSAPI
+OPTIONS_SINGLE_GSSAPI=	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
+
+OPTIONS_SUB=	yes
+
+ACCFDNS_DESC=		Prefer DNS accept filter over generic one
+CRYPTO_DESC=		Choose which crypto engine to use
+DLZ_BDB_DESC=		DLZ BDB driver
+DLZ_DESC=		Dynamically Loadable Zones
+DLZ_FILESYSTEM_DESC=	DLZ filesystem driver
+DLZ_LDAP_DESC=		DLZ LDAP driver
+DLZ_MYSQL_DESC=		DLZ MySQL driver (no threading)
+DLZ_POSTGRESQL_DESC=	DLZ Postgres driver
+DLZ_STUB_DESC=		DLZ stub driver
+DNSTAP_DESC=		Provides fast passive logging of DNS messages
+FILTER_AAAA_DESC=	Enable filtering of AAAA records
+FIXED_RRSET_DESC=	Enable fixed rrset ordering
+GSSAPI_BASE_DESC=	Using Heimdal in base
+GSSAPI_HEIMDAL_DESC=	Using security/heimdal
+GSSAPI_MIT_DESC=	Using security/krb5
+GSSAPI_NONE_DESC=	Disable
+LARGE_FILE_DESC=	64-bit file support
+LMDB_DESC=		Use LMDB for zone management
+MINCACHE_DESC=		Use the mincachettl patch
+NATIVE_PKCS11_DESC=	Use PKCS\#11 native API (**READ HELP**)
+PORTREVISION_DESC=	Show PORTREVISION in the version string
+QUERYTRACE_DESC=	Enable the very verbose query tracelogging
+RPZ_NSDNAME_DESC=	Enable RPZ NSDNAME policy records
+RPZ_NSIP_DESC=		Enable RPZ NSIP trigger rules
+SIGCHASE_DESC=		dig/host/nslookup will do DNSSEC validation
+SSL_DESC=		Build with OpenSSL (Required for DNSSEC)
+START_LATE_DESC=	Start BIND late in the boot process (see help)
+TCP_FASTOPEN_DESC=	RFC 7413 support
+TUNING_LARGE_DESC=	Tune named for large systems (**READ HELP**)
+
+ACCFDNS_EXTRA_PATCHES=	${PATCHDIR}/extrapatch-interfacemgr.c
+	
+DLZ_BDB_CONFIGURE_ON=	--with-dlz-bdb=yes
+DLZ_BDB_USES=		bdb
+
+DLZ_FILESYSTEM_CONFIGURE_ON=	--with-dlz-filesystem=yes
+
+DLZ_LDAP_CONFIGURE_ON=	--with-dlz-ldap=yes
+DLZ_LDAP_USE=		openldap=yes
+
+DLZ_MYSQL_CONFIGURE_ON=	--with-dlz-mysql=yes
+DLZ_MYSQL_PREVENTS=	THREADS
+DLZ_MYSQL_USES=		mysql
+
+DLZ_POSTGRESQL_CONFIGURE_ON=	--with-dlz-postgres=yes
+DLZ_POSTGRESQL_USES=		pgsql
+
+DLZ_STUB_CONFIGURE_ON=	--with-dlz-stub=yes
+
+DNSTAP_CONFIGURE_ENABLE=	dnstap
+DNSTAP_IMPLIES=		THREADS
+DNSTAP_LIB_DEPENDS=	libfstrm.so:devel/fstrm \
+			libprotobuf-c.so:devel/protobuf-c
+
+FILTER_AAAA_CONFIGURE_ENABLE=	filter-aaaa
+
+FIXED_RRSET_CONFIGURE_ENABLE=	fixed-rrset
+
+GEOIP_CONFIGURE_WITH=	geoip2
+GEOIP_LIB_DEPENDS=	libmaxminddb.so:net/libmaxminddb
+GEOIP_IMPLIES=		THREADS
+
+GSSAPI_BASE_CONFIGURE_ON=\
+	--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_BASE_USES=	gssapi
+
+GSSAPI_HEIMDAL_CONFIGURE_ON=\
+	--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_HEIMDAL_USES=	gssapi:heimdal
+
+GSSAPI_MIT_CONFIGURE_ON=\
+	--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_MIT_USES=	gssapi:mit
+
+GSSAPI_NONE_CONFIGURE_ON=	--without-gssapi
+
+IDN_CONFIGURE_OFF=	--without-libidn2
+IDN_CONFIGURE_ON=	--with-libidn2=${LOCALBASE} ${ICONV_CONFIGURE_BASE}
+IDN_LIB_DEPENDS=	libidn2.so:dns/libidn2
+IDN_USES=		iconv
+
+IPV6_CONFIGURE_ENABLE=	ipv6
+
+JSON_CONFIGURE_WITH=	libjson=${LOCALBASE}
+JSON_LIB_DEPENDS=	libjson-c.so:devel/json-c
+
+LARGE_FILE_CONFIGURE_ENABLE=	largefile
+
+LMDB_CONFIGURE_WITH=	lmdb=${LOCALBASE}
+LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
+
+MINCACHE_EXTRA_PATCHES=	${FILESDIR}/extrapatch-bind-min-override-ttl
+
+NATIVE_PKCS11_CONFIGURE_ENABLE=	native-pkcs11
+NATIVE_PKCS11_IMPLIES=	THREADS
+
+QUERYTRACE_CONFIGURE_ENABLE=	querytrace
+
+RPZ_NSDNAME_CONFIGURE_ENABLE=	rpz-nsdname
+
+RPZ_NSIP_CONFIGURE_ENABLE=	rpz-nsip
+
+SIGCHASE_CONFIGURE_ON=	STD_CDEFINES="-DDIG_SIGCHASE=1"
+
+SSL_CONFIGURE_OFF=	--disable-openssl-version-check --without-openssl
+SSL_CONFIGURE_ON=	--with-openssl=${OPENSSLBASE}
+SSL_USES=		ssl
+
+START_LATE_SUB_LIST=	NAMED_REQUIRE="SERVERS cleanvar" \
+			NAMED_BEFORE="LOGIN"
+START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \
+			NAMED_BEFORE="SERVERS"
+
+THREADS_CONFIGURE_ENABLE=	threads
+
+TUNING_LARGE_IMPLIES=	THREADS
+TUNING_LARGE_CONFIGURE_ON=	--with-tuning=large
+TUNING_LARGE_CONFIGURE_OFF=	--with-tuning=default
+
+.include <bsd.port.options.mk>
+
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-symtable \
+			--enable-developer
+USES+=	perl5
+USE_PERL5=	build
+BUILD_DEPENDS+=	cmocka>0:sysutils/cmocka
+# Developer mode needs ssl, always
+.if !${PORT_OPTIONS:MSSL}
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
+USES+=		ssl
+.endif
+.else
+CONFIGURE_ARGS+=	--disable-symtable
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${SSL_DEFAULT} == base
+SUB_LIST+=	ENGINES=/usr/lib/engines
+.else
+SUB_LIST+=	ENGINES=${LOCALBASE}/lib/engines
+.endif
+
+post-patch:
+.for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \
+	rndc/rndc.8
+	@${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \
+		-e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \
+		-e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \
+		${WRKSRC}/bin/${FILE}
+.endfor
+
+.if ${PORTREVISION:N0}
+post-patch-PORTREVISION-on:
+	@${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+		${WRKSRC}/version
+.endif
+
+post-patch-TCP_FASTOPEN-off:
+	@${REINPLACE_CMD} -e 's/#define ISC_PLATFORM_HAVETFO 1/#undef ISC_PLATFORM_HAVETFO/' ${WRKSRC}/configure
+
+post-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree
+	${MKDIR} ${STAGEDIR}${ETCDIR}
+.for i in dynamic master slave working
+	@${MKDIR} ${STAGEDIR}${ETCDIR}/$i
+.endfor
+	${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample
+	${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR}
+	${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master
+	${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master
+	${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master
+	${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample
+	${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample
+	${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \
+		${STAGEDIR}${ETCDIR}/rndc.conf.sample
+
+post-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
+	${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm
+	${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${WRKSRC}/CHANGES \
+		${WRKSRC}/HISTORY* ${WRKSRC}/README* ${STAGEDIR}${DOCSDIR}
+
+.include <bsd.port.post.mk>

dns/bind911/distinfo

+TIMESTAMP = 1635400901
+SHA256 (bind-9.11.36.tar.gz) = c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681
+SIZE (bind-9.11.36.tar.gz) = 8313276

dns/bind911/files/BIND.chroot.dist

+# mtree -deU -f files/BIND.chroot.dist -p tmp
+# mtree -cjnb -k uname,gname,mode -p tmp
+
+/set type=file uname=root gname=wheel mode=0755
+.               type=dir
+    dev             type=dir mode=0555
+    ..
+    etc             type=dir
+    ..
+    tmp             type=dir mode=01777
+    ..
+/set type=file uname=bind gname=bind mode=0755
+    var             type=dir uname=root gname=wheel
+        dump            type=dir
+        ..
+        log             type=dir
+        ..
+        run             type=dir
+            named           type=dir
+            ..
+        ..
+        stats           type=dir
+        ..
+    ..

dns/bind911/files/BIND.chroot.local.dist

+# mtree -deU -f files/BIND.etc.dist -p tmp
+# mtree -cjnb -k uname,gname,mode -p tmp
+
+/set type=file uname=root gname=wheel mode=0755
+.               type=dir
+    etc             type=dir
+/set type=file uname=bind gname=wheel mode=0755
+        namedb          type=dir uname=root
+            dynamic         type=dir
+            ..
+            master          type=dir uname=root
+            ..
+            slave           type=dir
+            ..
+            working         type=dir
+            ..
+        ..
+    ..

dns/bind911/files/empty.db

+$TTL 3h
+@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+@	NS	@
+
+; Silence a BIND warning
+@	A	127.0.0.1

dns/bind911/files/extrapatch-bind-min-override-ttl

+- Add the min-cache-ttl config knob.
+- Add the override-cache-ttl config knob.
+
+--- bin/named/config.c.orig	2021-05-12 10:45:51 UTC
++++ bin/named/config.c
+@@ -182,6 +182,8 @@ options {\n\
+ "	max-acache-size 16M;\n\
+ 	max-cache-size 90%;\n\
+ 	max-cache-ttl 604800; /* 1 week */\n\
++	min-cache-ttl 0; /* no minimal, zero is allowed */\n\
++	override-cache-ttl 0; /* do not override */\n\
+ 	max-clients-per-query 100;\n\
+ 	max-ncache-ttl 10800; /* 3 hours */\n\
+ 	max-recursion-depth 7;\n\
+--- bin/named/server.c.orig	2021-05-12 10:45:51 UTC
++++ bin/named/server.c
+@@ -3721,6 +3721,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl
+ 	}
+ 
+ 	obj = NULL;
++	result = ns_config_get(maps, "override-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->overridecachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
++	result = ns_config_get(maps, "min-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->mincachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
+ 	result = ns_config_get(maps, "max-cache-ttl", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	view->maxcachettl = cfg_obj_asuint32(obj);
+--- lib/dns/include/dns/view.h.orig	2021-05-12 10:45:51 UTC
++++ lib/dns/include/dns/view.h
+@@ -152,6 +152,8 @@ struct dns_view {
+ 	bool			requestnsid;
+ 	bool			sendcookie;
+ 	dns_ttl_t			maxcachettl;
++	dns_ttl_t			mincachettl;
++	dns_ttl_t			overridecachettl;
+ 	dns_ttl_t			maxncachettl;
+ 	uint32_t			nta_lifetime;
+ 	uint32_t			nta_recheck;
+--- lib/dns/resolver.c.orig	2021-05-12 10:45:51 UTC
++++ lib/dns/resolver.c
+@@ -5579,6 +5579,18 @@ cache_name(fetchctx_t *fctx, dns_message_t *rmessage,
+ 		}
+ 
+ 		/*
++		 * Enforce the configure cache TTL override.
++		 */
++                if (res->view->overridecachettl)
++                        rdataset->ttl = res->view->overridecachettl;
++
++		/*
++		 * Enforce the configure minimum cache TTL.
++		 */
++                if (rdataset->ttl < res->view->mincachettl)
++                        rdataset->ttl = res->view->mincachettl;
++
++		/*
+ 		 * Enforce the configure maximum cache TTL.
+ 		 */
+ 		if (rdataset->ttl > res->view->maxcachettl) {
+--- lib/isccfg/namedconf.c.orig	2021-05-12 10:45:51 UTC
++++ lib/isccfg/namedconf.c
+@@ -1773,6 +1773,8 @@ view_clauses[] = {
+ #endif
+ 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
+ 	{ "max-cache-size", &cfg_type_sizeorpercent, 0 },
++	{ "override-cache-ttl", &cfg_type_uint32, 0 },
++	{ "min-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+ 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },

dns/bind911/files/extrapatch-interfacemgr.c

+Use accf_dns's kernel module if available.
+
+--- bin/named/interfacemgr.c.orig	2020-08-06 10:05:20 UTC
++++ bin/named/interfacemgr.c
+@@ -521,7 +521,8 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
+ 	 * If/when there a multiple filters listen to the
+ 	 * result.
+ 	 */
+-	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
++	if (isc_socket_filter(ifp->tcpsocket, "dnsready") != ISC_R_SUCCESS)
++		(void)isc_socket_filter(ifp->tcpsocket, "dataready");
+ 
+ 	result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
+ 	if (result != ISC_R_SUCCESS) {

dns/bind911/files/localhost-forward.db

+$TTL 3h
+localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+	A	127.0.0.1
+	AAAA	::1

dns/bind911/files/localhost-reverse.db

+$TTL 3h
+@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+1.0.0	PTR	localhost.
+
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
+

dns/bind911/files/named.conf.in

+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/local/share/doc/bind for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works.  Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
+
+options {
+	// All file and path names are relative to the chroot directory,
+	// if any, and should be fully qualified.
+	directory	"%%ETCDIR%%/working";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
+	statistics-file	"/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+	listen-on	{ 127.0.0.1; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver.  To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+//	listen-on-v6	{ ::1; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
+// If you've got a DNS server around at your upstream provider, enter
+// its IP address here, and enable the line below.  This will make you
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
+/*
+	forwarders {
+		127.0.0.1;
+	};
+*/
+
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer.  Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+//	forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
+// named_auto_forward_only (the effect of which is described above).
+//	include "%%ETCDIR%%/auto_forward.conf";
+
+	/*
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
+};
+
+// If you enable a local name server, don't forget to enter 127.0.0.1
+// first in your /etc/resolv.conf so this server will be queried.
+// Also, make sure to enable it in /etc/rc.conf.
+
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "%%ETCDIR%%/named.root"; };
+
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	On the other hand, this method requires more monitoring than the
+	hints file to be sure that an unexpected failure mode has not
+	incapacitated your server.  Name servers that are serving a lot
+	of clients will benefit more from this approach than individual
+	hosts.  Use with caution.
+
+	To use this mechanism, uncomment the entries below, and comment
+	the hint zone above.
+
+	As documented at http://dns.icann.org/services/axfr/ these zones:
+	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
+	are available for AXFR from these servers on IPv4 and IPv6:
+	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
+zone "." {
+	type slave;
+	file "%%ETCDIR%%/slave/root.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "arpa" {
+	type slave;
+	file "%%ETCDIR%%/slave/arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "in-addr.arpa" {
+	type slave;
+	file "%%ETCDIR%%/slave/in-addr.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "ip6.arpa" {
+	type slave;
+	file "%%ETCDIR%%/slave/ip6.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+*/
+
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
+zone "localhost"	{ type master; file "%%ETCDIR%%/master/localhost-forward.db"; };
+zone "127.in-addr.arpa"	{ type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
+zone "0.ip6.arpa"	{ type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912, 5735 and 6303)
+zone "0.in-addr.arpa"	{ type master; file "%%ETCDIR%%/master/empty.db"; };
+
+// Private Use Networks (RFCs 1918, 5735 and 6303)
+zone "10.in-addr.arpa"	   { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "16.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "17.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "18.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "19.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "20.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "21.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "22.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "23.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "24.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "25.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "26.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
+zone "27.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };