Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Pick up the 2014032601 update which adds an IPv6 address for C.

Note that this is a direct commit to stable/9 as this file
is no longer in HEAD.

Sponsored by: DK Hostmaster A/S

MFC r254132:
Add empty zones for Shared Address Space (RFC 6598)

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC r245034
Update with new IPv4 address for D root.

Approved by: delphij (mentor)

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Commemorate the release of RFC 6303 by updating the comments regarding
our default empty zones. No functional changes.

Pick up the 2011-06-08 update to this file, the addition of an IPv6
address for D.

Add a note about AXFR of important zones being available from ICANN

Remove in-addr.arpa from the list of zones it is possible to slave locally

Catch up with reality and references from the latest RFCs
(especially 5735) for our default empty zones.

Add the AAAA address for i.root-servers.net

Update the example named.conf file to answer locally for the newly
released IPv4 documentation ranges (http://tools.ietf.org/html/rfc5737)
and catch up to the IPv6 documentation range and domain names that 5737
also references.

The named process needs to have a "working directory" that it can
write to. This is specified in "options { directory }" in named.conf.
So, create /etc/namedb/working with appropriate permissions, and
update the entry in named.conf to match.

In addition to specifying the working directory, file and path names
in named.conf can be specified relative to the directory listed.
However, since that directory is now different from /etc/namedb
(where the configuration, zone, rndc.*, and other files are located)
further update named.conf to specify all file names with fully
qualified paths. Also update the comment about file and path names
so users know this should be done for all file/path names in the file.

This change will eliminate the 'working directory is not writable'
messages at boot time without sacrificing security. It will also
allow for features in newer versions of BIND (9.7+) to work as
designed.

Update to the December 12, 2008 version of this file. The one
substantive change is to add the IPv6 address of L. The other
changes are all CAPS LOCK related.

1. New feature; option to have the script loop until a specified hostname
(localhost by default) can be successfully looked up. Off by default.
2. New feature: option to create a forwarder configuration file based on
the contents of /etc/resolv.conf. This allows you to utilize a local
resolver for better performance, less network traffic, custom zones, etc.
while still relying on the benefits of your local network resolver.
Off by default.
3. Add named-checkconf into the startup routine. This will prevent named
from trying to start in a situation where it would not be possible to do
so.

Strongly discourage the use of the query-source option, and explain why.

Give a better example if a user absolutely must use this option, and
suggest they pick something from the ephemeral port range rather than
port 53. This means that the example will not work if it is merely
uncommented, but this will hopefully encourage users to read the comment.

From the 4 February 2008 update:
IPv6 addresses for 6 of the root name servers!

Remove from the default empty zone list zones that, unlike the others,
could theoretically be allocated one day.

Update to the 1 November 2007 version of this file. The change
is to the address of l.root-servers.net, which is moving to a
new /24 in order to enable anycast routing down the road.

1. Remove root name servers from the list of possible masters in the
commented out example who have either not responded, or specifically
asked not to participate because they do not view AXFR as "a production
service."

2. Add f.root-servers.net to the example after confirmation from
Paul Vixie.

3. Add a warning to the commented out "root zone slave" example to the
effect that it requires more attention than a hints file, and provides
more benefit to larger sites than individual hosts.

4. Correct a typo copied from RFC 2544 which was corrected in a later
errata, and confirmed in RFC 3330. Update the comment to reflect that
RFC 3330 got it right and to avoid confusion down the road. 3330 also
contains a reference back to 2544 for anyone interested in pursuing the
history. [1]

PR: conf/115573 [1]
Submitted by: Oliver Fromme <olli@secnetix.de> [1]

Approved by: re (kensmith)

1. Move the disable-empty-zone stuff down below the first 25 lines so
that the listen-on stuff floats up to the first "page" of text. This
makes it very obvious what's going on so that someone trying to enable
a server for use on a network can easily see how to do that.

2. Change the default behavior back to using a hint zone for the root.

3. Leave the root slave zone config as a commented out example.

4. Remove the B and F root servers from the example at the request of
their operators.

Requested by: he-who-must-not-be-named [1]
Requested by: many [2]

Approved by: re (rwatson)

Drop the default zones that are now covered by the new zones that
were added in the last revision.

Bring our default named configuration more in line with current
best practices:

1. The old way of generating the localhost zones was not optimal both
because they did not exist by default, and because they were not really
aligned with BCP. There is no need to have the dynamic data that the
make-localhost script generated, and good reasons to do this more
"by the book."

2. In named.conf
a. Clean up white space
b. Add/clarify a few comments
c. Slave zones from the root servers instead of using a hints
file. This has several advantages, as described in the comments.
d. Significantly revamp the default zones, including the
forward localhost zone, and the reverse zones for IPv4 and IPv6
loopback addresses. There are extensive comments describing what
is included and why. Interested readers should take the time to
review the RFCs mentioned in the comments. There is also relevant
information about the motivations for hosting these zones in the
"work in progress" Internet-Draft,
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
or its successor.
It's also worth noting that a significant number of these
empty zones are already included by default in the named binary
without any user configuration.
e. Because we're including a lot of examples of both local
forward zones and slave zones in the default configuration,
eliminate some of those examples.

3. Add new localhost-{forward|reverse} zone files, and an "empty" zone
to support the changes in 2.d. above. The empty zone file isn't really
empty in order to avoid a warning from BIND about a zone file that
doesn't contain any A or AAAA records.

Add a namedb/master directory for the zone files I'm about to add,
and switch to the more "normal" way of installing files for the
namedb directory so that we can pick up the new subdir.

In accordance with my intentions announced (and not objected to)
on -arch, and RFC 4159 (http://www.rfc-editor.org/rfc/rfc4159.txt)
which officially deprecates all usage of IP6.INT, remove the
reference to that zone from the example named.conf file.

Scot pointed out that the dynamic zone example didn't seem to "flow"
with the rest of the examples, so after discussion with him and gshapiro,
re-sort the examples, and add more comments to make things very obvious.

Also, divide the examples between example.{com|net|org} to make things
even more obvious, and use the same RFC 1918 block for all examples.

Pointed out by: Scot W. Hetzel <hetzels@westbend.net>

Start the dreaded NOFOO -> NO_FOO conversion.

OK'ed by: core

Create a separate directory for dynamic zones which is owned by the bind
user (for creation of the zone journal file). This is separate from the
master/ directory for security. Give an example dynamic zone in the
sample named.conf.

Approved by: dougb
Noticed by: Eivind Olsen <eivind at aminor.no>
MFC after: 1 week

For variables that are only checked with defined(), don't provide
any fake value.

1. Update the documentation references, and the warning about setting up
authoritative servers.

2. Add an IPv4 listen-on option for 127.0.0.1, which is appropriate
for the default use as a local resolver.

3. Add a commented out listen-on-v6 option.

Add a statistics-file directive

Fix some of the more egregious problems with this file:

1. Update text about later BINDs using a pseudo-random, unpriviliged
query port for UDP by default.

2. We are now running in a sandbox by default, with a dedicated dump
directory, so remove the stale comment.

3. The topology configuration is not for the faint of heart, so
remove the commented example.

4. Tighten up some language a bit.

5. s/secondary/slave/

6. No need for the example about a bind-owned directory for slave zones.

7. Change domain.com to example.com in the example, per RFC 2606.

8. Update the path for slave zones in the example.
- Thanks to Scot Hetzel <swhetzel@gmail.com>

There is more work to do here, but this is an improvement.

Create a named chroot directory structure in /var/named, and use it
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.

Rather than using pax to copy device entries, mount devfs in the
chroot directory.

There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.

UPDATING has instructions on how to do the conversion for those
with existing configurations.

Removed whitespace at BOF, EOL & EOF.

Latest version of this file from InterNIC. This version updates the IP
address of b.root-servers.net, and various comments.

Misc grammar, typo and wording fixes of comments.

PR: docs/41034
Submitted by: Chris Pepper <pepper@rockefeller.edu>

compliance with RFC3152.

PR: standards/45557
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by: re

Import the latest hints file from Internic. The most important change
is that J has moved, however I'm sure you'll all be very disappointed
to hear that you can no longer retrieve this file via gopher.

Install PROTO.localhost-v6.rev.

Reported by: Scott Allendorf <scott-allendorf@uiowa.edu>
Forgot by: me (ume)

Added this makefile. This is not attached to the build yet. I often
install parts of /etc manually and it helps to have a makefile for
each subdir even if the main makefile doesn't invoke it.

Do not taint ::/124 for localhost reverse table.

The named.conf file should refer to named.conf(5) in addition to
named(8) in the comments.

PR: 32459
Submitted by: "Gary W. Swearingen" <swear@blarg.net>
MFC after: 2 days

Invoke named with privilege of bind:bind.
Change pidfile location to /var/run/named/pid.

Replace old-style "chown foo.bar" with orthodox "chown foo:bar".

FreeBSD doesn't run named in a sandbox by default, so change a comment so it
doesn't imply we do.

o Add a PATH statement to the beginning of make-localhost, making it
work right when the administrator has modified their runtime environment
in a manner not anticipated by our script.

Requested by: Tom Maher <tardis@ece.cmu.edu>

Add reverse lookup entry for ::1

Suggested by: itojun

Sigh. RFC2038 and bind 8.2.2 have a slight variation of interpretation
of the SOA 'minimum' field. Now it's necessary to define $TTL seperately
to shut it up. Bind does reasonable things by default but it's annoying
still.

PR: 15834
Submitted by: Daniel Lewart <d-lewart@uiuc.edu>

Add/adjust some $FreeBSD$ tags.

Noted by: Doug <Doug@gorean.org>

$Id$ -> $FreeBSD$

Add (commented out) directive and note regarding dumpfile location
when running in a sandbox.

Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>

Since we do not pre-create /etc/namedb/s, add additional documentation
to the comments in named.conf to describe to the user how to create it.
(named.conf does not use /etc/namedb/s by default anyway so us not
pre-created it in the mtree does not hurt us terribly).

Reviewed by: freebsd-current, freebsd-security

Adjust rc.conf to run named in sandbox, adjust mtree to add /etc/namedb/s
subdirectory (user bind, group bind) to hold secondaries, adjust
comments in named.conf to reflect new secondary scheme. (Note that
core read-only zone files are left owned by root, increasing security even
more).

Add Id keyword

Delete some large chunks of trailing whitespace since it was making some
lines longer than 80 columns.

Add new named configuration template and remove old template

Bring in the latest (08/22/1997) version from the Internic.

Make "make-localhost" Y2K safe by using "date +%Y" instead of "date +%y"
to pick the serial number.

PR: misc/3465
Submitted by: sjr1@flash.net (Stephen J. Roznowski)

Upgrade to latest version of named.root (from InterNIC).
PR: conf/3642

Submitted by: Josh Gilliam <soil@quick.net> (Well, suggestion. Root file
from InterNIC)

Add some blurb about how to setup a secondary nameserver.

Reviewed by: -hackers

Increase Retry interval from 300 to 900 to shut named warning that
(300 < 900) maintainance interval

Revert $FreeBSD$ to $Id$

Updated to Jan 22, 1997 revision from the InterNIC.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Updated to Nov 8, 1995 version from internic.net.

This commit was generated by cvs2svn to compensate for changes in r13122,
which included commits to RCS files with non-trunk default branches.

recording cvs-1.6 file death

Obtained from: FTP.RS.INTERNIC.NET
The named.root file is out of date.. (well it was.. this fixes it..)
15,16c15,16
< ; last update: Aug 25, 1995
< ; related version of root zone: 1995082500
---
> ; last update: Sep 1, 1995
> ; related version of root zone: 1995090100
18,19c18,22
< . 3600000 IN NS NS.INTERNIC.NET.
< NS.INTERNIC.NET. 3600000 A 198.41.0.4
---
> ;
> ; formerly NS.INTERNIC.NET
> ;
> . 3600000 IN NS A.ROOT-SERVERS.NET.
> A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
>

Update to latest version of named.root from the Internic. This version
is the first one to name all root servers X.root-servers.net rather
than by their original names.

Obtained from: Internic Registration Services

Convert from using old root.cache to new named.root

This commit was generated by cvs2svn to compensate for changes in r7270,
which included commits to RCS files with non-trunk default branches.

Update root NS cache.
Delete bogus localhost.rev.
Add prototype localhost.rev and a script to create it automatically.
(NB to installl people: you should ask ``do you have a full-time connection
o the Internet?'', run this script, and enable named if the answer is
yes.)

Commented out sortlist entry; most users aren't located at UCB and so
a different sortlist (if any) would be more appropriate. Users should
configure manually.

Updated to reflect current situation w.r.t. root name servers.

This commit was generated by cvs2svn to compensate for changes in r37,
which included commits to RCS files with non-trunk default branches.