1. Move the disable-empty-zone stuff down below the first 25 lines so

that the listen-on stuff floats up to the first "page" of text. This
makes it very obvious what's going on so that someone trying to enable
a server for use on a network can easily see how to do that.

2. Change the default behavior back to using a hint zone for the root.

3. Leave the root slave zone config as a commented out example.

4. Remove the B and F root servers from the example at the request of
their operators.

Requested by:	he-who-must-not-be-named [1]
Requested by:	many [2]

Approved by:	re (rwatson)

etc/namedb/named.conf

@@ -15,10 +15,6 @@ options {
 	dump-file	"/var/dump/named_dump.db";
 	statistics-file	"/var/stats/named.stats";
 
-	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
-	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
-	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
-
 // If named is being used only as a local resolver, this is a safe default.
 // For named to be accessible to the network, comment this option, specify
 // the proper IP address, or delete this option.
@@ -29,6 +25,12 @@ options {
 // an IPv6 address, or the keyword "any".
 //	listen-on-v6	{ ::1; };
 
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
 // In addition to the "forwarders" clause, you can force your name
 // server to never initiate queries of its own, but always ask its
 // forwarders only, by enabling the following line:
@@ -57,22 +59,23 @@ options {
 // first in your /etc/resolv.conf so this server will be queried.
 // Also, make sure to enable it in /etc/rc.conf.
 
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "named.root"; };
+
 /*	Slaving the following zones from the root name servers has some
 	significant advantages:
 	1. Faster local resolution for your users
 	2. No spurious traffic will be sent from your network to the roots
 	3. Greater resilience to any potential root server failure/DDoS
 
-	If you do not wish to slave these zones from the root servers
+	To use this mechanism, uncomment the entries below, and comment
-	use the entry below instead.
+	the hint zone above.
-	zone "." { type hint; file "named.root"; };
 */
+/*
 zone "." {
 	type slave;
 	file "slave/root.slave";
 	masters {
-		192.5.5.241;	// F.ROOT-SERVERS.NET.
-		192.228.79.201;	// B.ROOT-SERVERS.NET.
 		192.33.4.12;	// C.ROOT-SERVERS.NET.
 		192.112.36.4;	// G.ROOT-SERVERS.NET.
 		193.0.14.129;	// K.ROOT-SERVERS.NET.
@@ -83,8 +86,6 @@ zone "arpa" {
 	type slave;
 	file "slave/arpa.slave";
 	masters {
-		192.5.5.241;	// F.ROOT-SERVERS.NET.
-		192.228.79.201;	// B.ROOT-SERVERS.NET.
 		192.33.4.12;	// C.ROOT-SERVERS.NET.
 		192.112.36.4;	// G.ROOT-SERVERS.NET.
 		193.0.14.129;	// K.ROOT-SERVERS.NET.
@@ -95,14 +96,13 @@ zone "in-addr.arpa" {
 	type slave;
 	file "slave/in-addr.arpa.slave";
 	masters {
-		192.5.5.241;	// F.ROOT-SERVERS.NET.
-		192.228.79.201;	// B.ROOT-SERVERS.NET.
 		192.33.4.12;	// C.ROOT-SERVERS.NET.
 		192.112.36.4;	// G.ROOT-SERVERS.NET.
 		193.0.14.129;	// K.ROOT-SERVERS.NET.
 	};
 	notify no;
 };
+*/
 
 /*	Serving the following zones locally will prevent any queries
 	for these zones leaving your network and going to the root