MFC of the work committed on 2007-06-18 to improve the default

named.conf. This brings us in line with BCP, and makes our installed configuration usable as a local resolver right out of the box. This includes: 1.359 of etc/Makefile 1.5 of etc/namedb/Makefile 1.1 of etc/namedb/master/Makefile all for the new files in etc/namedb/master, 1.23 and 1.24 of etc/namedb/named.conf to bring in the new configuration options, The new files in etc/namedb/master to support those options, And deletion of the old *localhost*.rev files. See the commit message to HEAD and the comments in the new named.conf file for more details about the changes and the reasons for them.
2007-07-11 07:08:23 +00:00 · 2007-07-11 07:08:23 +00:00 · 2e29ef4131
commit 2e29ef4131
parent 8e18321b82
6 changed files with 203 additions and 140 deletions
--- a/etc/Makefile
+++ b/etc/Makefile
@ -58,11 +58,6 @@ MTREE+=	BIND.include.dist
 .endif
 .endif

-.if !defined(NO_BIND_ETC) && !defined(NO_BIND) && !defined(NO_BIND_MTREE)
-NAMEDB=	PROTO.localhost.rev PROTO.localhost-v6.rev named.conf named.root \
-	make-localhost
-.endif
-
 PPPCNF=	ppp.conf

 .if defined(NO_SENDMAIL)
@ -128,6 +123,19 @@ distribution:
 .if !defined(NO_I4B)
 	cd ${.CURDIR}/isdn; ${MAKE} install
 .endif
+
+.if !defined(NO_BIND)
+.if !defined(NO_BIND_MTREE)
+	@if [ ! -e ${DESTDIR}/etc/namedb ]; then \
+		set -x; \
+		ln -s ../var/named/etc/namedb ${DESTDIR}/etc/namedb; \
+	fi
+.endif
+.if !defined(NO_BIND_ETC)
+	cd ${.CURDIR}/namedb; ${MAKE} install
+.endif
+.endif
+
 .if !defined(NO_SENDMAIL)
 	cd ${.CURDIR}/sendmail; ${MAKE} distribution
 .endif
@ -156,18 +164,6 @@ distribution:
 	    ln ${DESTDIR}/root/.profile ${DESTDIR}/.profile
 	cd ${.CURDIR}/mtree; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \
 	    ${MTREE} ${DESTDIR}/etc/mtree
-.if !defined(NO_BIND)
-.if !defined(NO_BIND_ETC) && !defined(NO_BIND_MTREE)
-	cd ${.CURDIR}/namedb; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
-	    ${NAMEDB} ${DESTDIR}/var/named/etc/namedb
-.endif
-.if !defined(NO_BIND_MTREE)
-	@if [ ! -e ${DESTDIR}/etc/namedb ]; then \
-		set -x; \
-		ln -s ../var/named/etc/namedb ${DESTDIR}/etc/namedb; \
-	fi
-.endif
-.endif
 	cd ${.CURDIR}/ppp; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
 	    ${PPPCNF} ${DESTDIR}/etc/ppp
 	cd ${.CURDIR}/mail; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
--- a/etc/namedb/Makefile
+++ b/etc/namedb/Makefile
@ -1,9 +1,11 @@
 # $FreeBSD$

-FILES=	PROTO.localhost.rev PROTO.localhost-v6.rev named.conf named.root \
-	make-localhost
+SUBDIR=	master
+
+FILES=	named.conf named.root
+
 NO_OBJ=
-FILESDIR= /etc/namedb
-FILESMODE= 644
+FILESDIR=	/etc/namedb
+FILESMODE=	644

 .include <bsd.prog.mk>
--- a/etc/namedb/PROTO.localhost-v6.rev
+++ b/etc/namedb/PROTO.localhost-v6.rev
@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-	IN	PTR	localhost.@domain@.
--- a/etc/namedb/PROTO.localhost.rev
+++ b/etc/namedb/PROTO.localhost.rev
@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-1	IN	PTR	localhost.@domain@.
--- a/etc/namedb/make-localhost
+++ b/etc/namedb/make-localhost
@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD$
-#
-# make-localhost - edit the appropriate local information into
-# /etc/namedb/localhost.rev
-#
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
-export PATH
-
-if [ "`hostname -s`" != "`hostname`" ]; then
-	# hostname must contain domain
-
-	host=`hostname -s`
-	fullhost=`hostname`
-	domain=`echo $fullhost | sed "s/^$host\.//"`
-else
-	host=`hostname`
-
-	if [ -z "$1" ]; then
-		echo -n 'Enter your domain name: '
-		read domain
-	else
-		domain="$1"
-	fi
-
-	# strip trailing dot, if any
-	domain=`echo $domain | sed 's/\.$//'`
-	fullhost="$host.$domain"
-fi
-
-date=`date +"%Y%m%d"`
-
-mkdir -p master
-
-mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null
-
-sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost-v6.rev > master/localhost-v6.rev
-
-mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null
-
-exec sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost.rev > master/localhost.rev
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@ -9,11 +9,16 @@
 // or cause huge amounts of useless Internet traffic.

 options {
+	// Relative to the chroot directory, if any
 	directory	"/etc/namedb";
 	pid-file	"/var/run/named/pid";
 	dump-file	"/var/dump/named_dump.db";
 	statistics-file	"/var/stats/named.stats";

+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
 // If named is being used only as a local resolver, this is a safe default.
 // For named to be accessible to the network, comment this option, specify
 // the proper IP address, or delete this option.
@ -28,7 +33,7 @@ options {
 // server to never initiate queries of its own, but always ask its
 // forwarders only, by enabling the following line:
 //
-//      forward only;
+//	forward only;

 // If you've got a DNS server around at your upstream provider, enter
 // its IP address here, and enable the line below.  This will make you
@ -52,21 +57,178 @@ options {
 // first in your /etc/resolv.conf so this server will be queried.
 // Also, make sure to enable it in /etc/rc.conf.

+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	If you do not wish to slave these zones from the root servers
+	use the entry below instead.
+	zone "." { type hint; file "named.root"; };
+*/
 zone "." {
-	type hint;
-	file "named.root";
+	type slave;
+	file "slave/root.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
+};
+zone "arpa" {
+	type slave;
+	file "slave/arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
+};
+zone "in-addr.arpa" {
+	type slave;
+	file "slave/in-addr.arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };

-zone "0.0.127.IN-ADDR.ARPA" {
-	type master;
-	file "master/localhost.rev";
-};
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFC 1912
+zone "localhost"	{ type master; file "master/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "master/empty.db"; };

-// RFC 3152
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
-	type master;
-	file "master/localhost-v6.rev";
-};
+// RFC 1912-style zone for IPv6 localhost address
+zone "0.ip6.arpa"	{ type master; file "master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912 and 3330)
+zone "0.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Unlikely to ever be assigned
+zone "1.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "2.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "223.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Public Data Networks (RFC 3330)
+zone "14.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Private Use Networks (RFC 1918)
+zone "10.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "16.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "17.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "18.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "20.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "21.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "22.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "23.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "24.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "25.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "26.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "27.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "28.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "29.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "30.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "31.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "168.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3330 and 3927)
+zone "254.169.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// TEST-NET for Documentation (RFC 3330)
+zone "2.0.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Router Benchmark Testing (RFC 2544)
+zone "18.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Old Class E Space
+zone "240.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "241.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "242.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "243.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "244.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "245.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "246.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "247.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "248.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "249.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "250.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "251.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "252.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "253.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "254.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "c.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 ULA (RFC 4193)
+zone "c.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Link Local (RFC 4291)
+zone "8.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFC 3879)
+zone "c.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "f.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"			{ type master; file "master/empty.db"; };

 // NB: Do not use the IP addresses below, they are faked, and only
 // serve demonstration/documentation purposes!
@ -74,30 +236,23 @@ zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
 // Example slave zone config entries.  It can be convenient to become
 // a slave at least for the zone your own domain is in.  Ask
 // your network administrator for the IP address of the responsible
-// primary.
+// master name server.
 //
-// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
-// (This is named after the first bytes of the IP address, in reverse
-// order, with ".IN-ADDR.ARPA" appended.)
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
 //
-// Before starting to set up a primary zone, make sure you fully
-// understand how DNS and BIND works.  There are sometimes
-// non-obvious pitfalls.  Setting up a slave zone is simpler.
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.

-/* An example master zone
-zone "example.net" {
-	type master;
-	file "master/example.net";
-};
-*/
-
 /* An example dynamic zone
 key "exampleorgkey" {
-        algorithm hmac-md5;
-        secret "sf87HJqjkqh8ac87a02lla==";
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
 };
 zone "example.org" {
 	type master;
@ -108,14 +263,7 @@ zone "example.org" {
 };
 */

-/* Examples of forward and reverse slave zones
-zone "example.com" {
-	type slave;
-	file "slave/example.com";
-	masters {
-		192.168.1.1;
-	};
-};
+/* Example of a slave reverse zone
 zone "1.168.192.in-addr.arpa" {
 	type slave;
 	file "slave/1.168.192.in-addr.arpa";