Commit fcceccb7 authored by Rene Ladan's avatar Rene Ladan
Browse files

dns/bind911: restore port

It is still in extended security mode, see
https://www.isc.org/blogs/bind-update-summer2021/

Reported by:	yasu
parent e2b444d8
......@@ -16704,7 +16704,6 @@ java/intellij-rubymine|devel/rubymine|2021-12-31|Use better name and category
lang/python36||2021-12-31|Has expired: Upgrade to a newer Python version. 3.6 is in maintenance status and gets security fixes only. End-of-Life: 2021-12-23. See https://devguide.python.org/
devel/sdl_sge||2021-12-31|Has expired: Upstream no longer maintained
net/appkonference||2021-12-31|Has expired: Outdated, depends on unsupported version of net/asterisk
dns/bind911|dns/bind916|2021-12-31|Has expired: End of life, please migrate to a newer version of BIND9
net/zebra||2021-12-31|Has expired: Abandoned upstream, last release in 2005. Consider migrating to net/frr7 or net/bird2
audio/osalp||2021-12-31|Has expired: Abandoned upstream, listed as beta and no new release since 2008
games/stransball2||2021-12-31|Has expired: Depends on expired devel/sdl_sge
......@@ -7,6 +7,7 @@
SUBDIR += axfr2acl
SUBDIR += bind-tools
SUBDIR += bind9-devel
SUBDIR += bind911
SUBDIR += bind916
SUBDIR += bindgraph
SUBDIR += blocky
......
# pkg-help formatted with fmt 59 63
PORTNAME= bind
PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
PORTREVISION= 0
CATEGORIES= dns net
MASTER_SITES= ISC/bind9/${ISCVERSION}
PKGNAMESUFFIX= 911
DISTNAME= ${PORTNAME}-${ISCVERSION}
MAINTAINER= mat@FreeBSD.org
COMMENT= BIND DNS suite with updated DNSSEC and DNS64
LICENSE= MPL20
LICENSE_FILE= ${WRKSRC}/COPYRIGHT
DEPRECATED= End of life, please migrate to a newer version of BIND9
EXPIRATION_DATE= 2021-12-31
LIB_DEPENDS= libxml2.so:textproc/libxml2
RUN_DEPENDS= bind-tools>0:dns/bind-tools
USES= cpe libedit pkgconfig
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.11.36
CPE_VENDOR= isc
CPE_VERSION= ${ISCVERSION:C/-.*//}
.if ${ISCVERSION:M*-*}
CPE_UPDATE= ${ISCVERSION:C/.*-//:tl}
.endif
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
--with-randomdev=/dev/random \
--with-libxml2=${LOCALBASE} \
--with-readline="-L${LOCALBASE}/lib -ledit" \
--with-dlopen=yes \
--with-gost=no \
--without-python \
--sysconfdir=${ETCDIR}
ETCDIR= ${PREFIX}/etc/namedb
CONFLICTS= bind912 bind913 bind914 bind916 bind9-devel
SUB_FILES= pkg-message named.conf
USE_RC_SUBR= named
MAKE_JOBS_UNSAFE= yes
PORTDOCS= *
OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE JSON \
DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN \
FILTER_AAAA DNSTAP
OPTIONS_DEFINE= ACCFDNS IDN LARGE_FILE JSON GEOIP \
FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA \
RPZ_NSIP RPZ_NSDNAME DOCS \
MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \
START_LATE TUNING_LARGE TCP_FASTOPEN
OPTIONS_RADIO= CRYPTO
OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11
OPTIONS_GROUP= DLZ
OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
OPTIONS_SINGLE= GSSAPI
OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
OPTIONS_SUB= yes
ACCFDNS_DESC= Prefer DNS accept filter over generic one
CRYPTO_DESC= Choose which crypto engine to use
DLZ_BDB_DESC= DLZ BDB driver
DLZ_DESC= Dynamically Loadable Zones
DLZ_FILESYSTEM_DESC= DLZ filesystem driver
DLZ_LDAP_DESC= DLZ LDAP driver
DLZ_MYSQL_DESC= DLZ MySQL driver (no threading)
DLZ_POSTGRESQL_DESC= DLZ Postgres driver
DLZ_STUB_DESC= DLZ stub driver
DNSTAP_DESC= Provides fast passive logging of DNS messages
FILTER_AAAA_DESC= Enable filtering of AAAA records
FIXED_RRSET_DESC= Enable fixed rrset ordering
GSSAPI_BASE_DESC= Using Heimdal in base
GSSAPI_HEIMDAL_DESC= Using security/heimdal
GSSAPI_MIT_DESC= Using security/krb5
GSSAPI_NONE_DESC= Disable
LARGE_FILE_DESC= 64-bit file support
LMDB_DESC= Use LMDB for zone management
MINCACHE_DESC= Use the mincachettl patch
NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**)
PORTREVISION_DESC= Show PORTREVISION in the version string
QUERYTRACE_DESC= Enable the very verbose query tracelogging
RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records
RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules
SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation
SSL_DESC= Build with OpenSSL (Required for DNSSEC)
START_LATE_DESC= Start BIND late in the boot process (see help)
TCP_FASTOPEN_DESC= RFC 7413 support
TUNING_LARGE_DESC= Tune named for large systems (**READ HELP**)
ACCFDNS_EXTRA_PATCHES= ${PATCHDIR}/extrapatch-interfacemgr.c
DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes
DLZ_BDB_USES= bdb
DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes
DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes
DLZ_LDAP_USE= openldap=yes
DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes
DLZ_MYSQL_PREVENTS= THREADS
DLZ_MYSQL_USES= mysql
DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes
DLZ_POSTGRESQL_USES= pgsql
DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes
DNSTAP_CONFIGURE_ENABLE= dnstap
DNSTAP_IMPLIES= THREADS
DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \
libprotobuf-c.so:devel/protobuf-c
FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa
FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset
GEOIP_CONFIGURE_WITH= geoip2
GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
GEOIP_IMPLIES= THREADS
GSSAPI_BASE_CONFIGURE_ON=\
--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
GSSAPI_BASE_USES= gssapi
GSSAPI_HEIMDAL_CONFIGURE_ON=\
--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
GSSAPI_HEIMDAL_USES= gssapi:heimdal
GSSAPI_MIT_CONFIGURE_ON=\
--with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
GSSAPI_MIT_USES= gssapi:mit
GSSAPI_NONE_CONFIGURE_ON= --without-gssapi
IDN_CONFIGURE_OFF= --without-libidn2
IDN_CONFIGURE_ON= --with-libidn2=${LOCALBASE} ${ICONV_CONFIGURE_BASE}
IDN_LIB_DEPENDS= libidn2.so:dns/libidn2
IDN_USES= iconv
IPV6_CONFIGURE_ENABLE= ipv6
JSON_CONFIGURE_WITH= libjson=${LOCALBASE}
JSON_LIB_DEPENDS= libjson-c.so:devel/json-c
LARGE_FILE_CONFIGURE_ENABLE= largefile
LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE}
LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb
MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11
NATIVE_PKCS11_IMPLIES= THREADS
QUERYTRACE_CONFIGURE_ENABLE= querytrace
RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname
RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip
SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1"
SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl
SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE}
SSL_USES= ssl
START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \
NAMED_BEFORE="LOGIN"
START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \
NAMED_BEFORE="SERVERS"
THREADS_CONFIGURE_ENABLE= threads
TUNING_LARGE_IMPLIES= THREADS
TUNING_LARGE_CONFIGURE_ON= --with-tuning=large
TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default
.include <bsd.port.options.mk>
.if defined(WITH_DEBUG)
CONFIGURE_ARGS+= --enable-symtable \
--enable-developer
USES+= perl5
USE_PERL5= build
BUILD_DEPENDS+= cmocka>0:sysutils/cmocka
# Developer mode needs ssl, always
.if !${PORT_OPTIONS:MSSL}
CONFIGURE_ARGS+= --with-openssl=${OPENSSLBASE}
USES+= ssl
.endif
.else
CONFIGURE_ARGS+= --disable-symtable
.endif
.include <bsd.port.pre.mk>
.if ${SSL_DEFAULT} == base
SUB_LIST+= ENGINES=/usr/lib/engines
.else
SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines
.endif
post-patch:
.for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \
rndc/rndc.8
@${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \
-e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \
-e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \
${WRKSRC}/bin/${FILE}
.endfor
.if ${PORTREVISION:N0}
post-patch-PORTREVISION-on:
@${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
${WRKSRC}/version
.endif
post-patch-TCP_FASTOPEN-off:
@${REINPLACE_CMD} -e 's/#define ISC_PLATFORM_HAVETFO 1/#undef ISC_PLATFORM_HAVETFO/' ${WRKSRC}/configure
post-install:
${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree
${MKDIR} ${STAGEDIR}${ETCDIR}
.for i in dynamic master slave working
@${MKDIR} ${STAGEDIR}${ETCDIR}/$i
.endfor
${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample
${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR}
${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master
${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master
${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master
${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample
${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample
${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \
${STAGEDIR}${ETCDIR}/rndc.conf.sample
post-install-DOCS-on:
${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm
${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/CHANGES \
${WRKSRC}/HISTORY* ${WRKSRC}/README* ${STAGEDIR}${DOCSDIR}
.include <bsd.port.post.mk>
TIMESTAMP = 1635400901
SHA256 (bind-9.11.36.tar.gz) = c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681
SIZE (bind-9.11.36.tar.gz) = 8313276
# mtree -deU -f files/BIND.chroot.dist -p tmp
# mtree -cjnb -k uname,gname,mode -p tmp
/set type=file uname=root gname=wheel mode=0755
. type=dir
dev type=dir mode=0555
..
etc type=dir
..
tmp type=dir mode=01777
..
/set type=file uname=bind gname=bind mode=0755
var type=dir uname=root gname=wheel
dump type=dir
..
log type=dir
..
run type=dir
named type=dir
..
..
stats type=dir
..
..
# mtree -deU -f files/BIND.etc.dist -p tmp
# mtree -cjnb -k uname,gname,mode -p tmp
/set type=file uname=root gname=wheel mode=0755
. type=dir
etc type=dir
/set type=file uname=bind gname=wheel mode=0755
namedb type=dir uname=root
dynamic type=dir
..
master type=dir uname=root
..
slave type=dir
..
working type=dir
..
..
..
$TTL 3h
@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
@ NS @
; Silence a BIND warning
@ A 127.0.0.1
- Add the min-cache-ttl config knob.
- Add the override-cache-ttl config knob.
--- bin/named/config.c.orig 2021-05-12 10:45:51 UTC
+++ bin/named/config.c
@@ -182,6 +182,8 @@ options {\n\
" max-acache-size 16M;\n\
max-cache-size 90%;\n\
max-cache-ttl 604800; /* 1 week */\n\
+ min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ override-cache-ttl 0; /* do not override */\n\
max-clients-per-query 100;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\
--- bin/named/server.c.orig 2021-05-12 10:45:51 UTC
+++ bin/named/server.c
@@ -3721,6 +3721,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl
}
obj = NULL;
+ result = ns_config_get(maps, "override-cache-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->overridecachettl = cfg_obj_asuint32(obj);
+
+ obj = NULL;
+ result = ns_config_get(maps, "min-cache-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->mincachettl = cfg_obj_asuint32(obj);
+
+ obj = NULL;
result = ns_config_get(maps, "max-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxcachettl = cfg_obj_asuint32(obj);
--- lib/dns/include/dns/view.h.orig 2021-05-12 10:45:51 UTC
+++ lib/dns/include/dns/view.h
@@ -152,6 +152,8 @@ struct dns_view {
bool requestnsid;
bool sendcookie;
dns_ttl_t maxcachettl;
+ dns_ttl_t mincachettl;
+ dns_ttl_t overridecachettl;
dns_ttl_t maxncachettl;
uint32_t nta_lifetime;
uint32_t nta_recheck;
--- lib/dns/resolver.c.orig 2021-05-12 10:45:51 UTC
+++ lib/dns/resolver.c
@@ -5579,6 +5579,18 @@ cache_name(fetchctx_t *fctx, dns_message_t *rmessage,
}
/*
+ * Enforce the configure cache TTL override.
+ */
+ if (res->view->overridecachettl)
+ rdataset->ttl = res->view->overridecachettl;
+
+ /*
+ * Enforce the configure minimum cache TTL.
+ */
+ if (rdataset->ttl < res->view->mincachettl)
+ rdataset->ttl = res->view->mincachettl;
+
+ /*
* Enforce the configure maximum cache TTL.
*/
if (rdataset->ttl > res->view->maxcachettl) {
--- lib/isccfg/namedconf.c.orig 2021-05-12 10:45:51 UTC
+++ lib/isccfg/namedconf.c
@@ -1773,6 +1773,8 @@ view_clauses[] = {
#endif
{ "max-acache-size", &cfg_type_sizenodefault, 0 },
{ "max-cache-size", &cfg_type_sizeorpercent, 0 },
+ { "override-cache-ttl", &cfg_type_uint32, 0 },
+ { "min-cache-ttl", &cfg_type_uint32, 0 },
{ "max-cache-ttl", &cfg_type_uint32, 0 },
{ "max-clients-per-query", &cfg_type_uint32, 0 },
{ "max-ncache-ttl", &cfg_type_uint32, 0 },
Use accf_dns's kernel module if available.
--- bin/named/interfacemgr.c.orig 2020-08-06 10:05:20 UTC
+++ bin/named/interfacemgr.c
@@ -521,7 +521,8 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
* If/when there a multiple filters listen to the
* result.
*/
- (void)isc_socket_filter(ifp->tcpsocket, "dataready");
+ if (isc_socket_filter(ifp->tcpsocket, "dnsready") != ISC_R_SUCCESS)
+ (void)isc_socket_filter(ifp->tcpsocket, "dataready");
result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
if (result != ISC_R_SUCCESS) {
$TTL 3h
localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
NS localhost.
A 127.0.0.1
AAAA ::1
$TTL 3h
@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
NS localhost.
1.0.0 PTR localhost.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "%%ETCDIR%%/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
// If the 'forwarders' clause is not empty the default is to 'forward first'
// which will fall back to sending a query from your local server if the name
// servers in 'forwarders' do not have the answer. Alternatively you can
// force your name server to never initiate queries of its own by enabling the
// following line:
// forward only;
// If you wish to have forwarding configured automatically based on
// the entries in /etc/resolv.conf, uncomment the following line and
// set named_auto_forward=yes in /etc/rc.conf. You can also enable
// named_auto_forward_only (the effect of which is described above).
// include "%%ETCDIR%%/auto_forward.conf";
/*
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace NNNNN in the example with a number between 49160 and 65530.
*/
// query-source address * port NNNNN;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "%%ETCDIR%%/named.root"; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
As documented at http://dns.icann.org/services/axfr/ these zones:
"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
are available for AXFR from these servers on IPv4 and IPv6:
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone "." {
type slave;
file "%%ETCDIR%%/slave/root.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
zone "arpa" {
type slave;
file "%%ETCDIR%%/slave/arpa.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
zone "in-addr.arpa" {
type slave;
file "%%ETCDIR%%/slave/in-addr.arpa.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
zone "ip6.arpa" {
type slave;
file "%%ETCDIR%%/slave/ip6.arpa.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org
2620:0:2d0:202::132; // lax.xfr.dns.icann.org
192.0.47.132; // iad.xfr.dns.icann.org
2620:0:2830:202::132; // iad.xfr.dns.icann.org
};
notify no;
};
*/
/* Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers. This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
*/
// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
zone "localhost" { type master; file "%%ETCDIR%%/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
zone "0.ip6.arpa" { type master; file "%%ETCDIR%%/master/localhost-reverse.db"; };
// "This" Network (RFCs 1912, 5735 and 6303)
zone "0.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
// Private Use Networks (RFCs 1918, 5735 and 6303)
zone "10.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "%%ETCDIR%%/master/empty.db"; };