Bring our default named configuration more in line with current

best practices:

1. The old way of generating the localhost zones was not optimal both
because they did not exist by default, and because they were not really
aligned with BCP. There is no need to have the dynamic data that the
make-localhost script generated, and good reasons to do this more
"by the book."

2. In named.conf
	a. Clean up white space
	b. Add/clarify a few comments
	c. Slave zones from the root servers instead of using a hints
	file. This has several advantages, as described in the comments.
	d. Significantly revamp the default zones, including the
	forward localhost zone, and the reverse zones for IPv4 and IPv6
	loopback addresses. There are extensive comments describing what
	is included and why. Interested readers should take the time to
	review the RFCs mentioned in the comments. There is also relevant
	information about the motivations for hosting these zones in the
	"work in progress" Internet-Draft,
	http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
	or its successor.
	It's also worth noting that a significant number of these
	empty zones are already included by default in the named binary
	without any user configuration.
	e. Because we're including a lot of examples of both local
	forward zones and slave zones in the default configuration,
	eliminate some of those examples.

3. Add new localhost-{forward|reverse} zone files, and an "empty" zone
to support the changes in 2.d. above. The empty zone file isn't really
empty in order to avoid a warning from BIND about a zone file that
doesn't contain any A or AAAA records.

7 files changed, 215 insertions, 119 deletions

diff --git a/etc/namedb/PROTO.localhost-v6.rev b/etc/namedb/PROTO.localhost-v6.rev
deleted file mode 100644
index 1616771..0000000
--- a/etc/namedb/PROTO.localhost-v6.rev
+++ /dev/null
@@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-	IN	PTR	localhost.@domain@.
diff --git a/etc/namedb/PROTO.localhost.rev b/etc/namedb/PROTO.localhost.rev
deleted file mode 100644
index 0468683..0000000
--- a/etc/namedb/PROTO.localhost.rev
+++ /dev/null
@@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-1	IN	PTR	localhost.@domain@.
diff --git a/etc/namedb/make-localhost b/etc/namedb/make-localhost
deleted file mode 100755
index 60fbe49..0000000
--- a/etc/namedb/make-localhost
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD$
-#
-# make-localhost - edit the appropriate local information into
-# /etc/namedb/localhost.rev
-#
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
-export PATH
-
-if [ "`hostname -s`" != "`hostname`" ]; then
-	# hostname must contain domain
-
-	host=`hostname -s`
-	fullhost=`hostname`
-	domain=`echo $fullhost | sed "s/^$host\.//"`
-else
-	host=`hostname`
-
-	if [ -z "$1" ]; then
-		echo -n 'Enter your domain name: '
-		read domain
-	else
-		domain="$1"
-	fi
-
-	# strip trailing dot, if any
-	domain=`echo $domain | sed 's/\.$//'`
-	fullhost="$host.$domain"
-fi
-
-date=`date +"%Y%m%d"`
-
-mkdir -p master
-
-mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null
-
-sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost-v6.rev > master/localhost-v6.rev
-
-mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null
-
-exec sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost.rev > master/localhost.rev
diff --git a/etc/namedb/master/empty.db b/etc/namedb/master/empty.db
new file mode 100644
index 0000000..070f663
--- /dev/null
+++ b/etc/namedb/master/empty.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+@	NS	@
+
+; Silence a BIND warning
+@	A	127.0.0.1
diff --git a/etc/namedb/master/localhost-forward.db b/etc/namedb/master/localhost-forward.db
new file mode 100644
index 0000000..9156d2f
--- /dev/null
+++ b/etc/namedb/master/localhost-forward.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+	A	127.0.0.1
+	AAAA	::1
diff --git a/etc/namedb/master/localhost-reverse.db b/etc/namedb/master/localhost-reverse.db
new file mode 100644
index 0000000..ceabe05
--- /dev/null
+++ b/etc/namedb/master/localhost-reverse.db
@@ -0,0 +1,13 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+1.0.0	PTR	localhost.
+
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
+
diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 4a7772f..7c51ae6 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -9,6 +9,7 @@
 // or cause huge amounts of useless Internet traffic.
 
 options {
+	// Relative to the chroot directory, if any
 	directory	"/etc/namedb";
 	pid-file	"/var/run/named/pid";
 	dump-file	"/var/dump/named_dump.db";
@@ -28,7 +29,7 @@ options {
 // server to never initiate queries of its own, but always ask its
 // forwarders only, by enabling the following line:
 //
-//      forward only;
+//	forward only;
 
 // If you've got a DNS server around at your upstream provider, enter
 // its IP address here, and enable the line below.  This will make you
@@ -52,52 +53,202 @@ options {
 // first in your /etc/resolv.conf so this server will be queried.
 // Also, make sure to enable it in /etc/rc.conf.
 
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	If you do not wish to slave these zones from the root servers
+	use the entry below instead.
+	zone "." { type hint; file "named.root"; };
+*/
 zone "." {
-	type hint;
-	file "named.root";
+	type slave;
+	file "slave/root.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
-
-zone "0.0.127.IN-ADDR.ARPA" {
-	type master;
-	file "master/localhost.rev";
+zone "arpa" {
+	type slave;
+	file "slave/arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
-
-// RFC 3152
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
-	type master;
-	file "master/localhost-v6.rev";
+zone "in-addr.arpa" {
+	type slave;
+	file "slave/in-addr.arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
 
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFC 1912
+zone "localhost"	{ type master; file "master/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address
+zone "0.ip6.arpa"	{ type master; file "master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912 and 3330)
+zone "0.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Unlikely to ever be assigned
+zone "1.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "2.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "223.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Public Data Networks (RFC 3330)
+zone "14.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Private Use Networks (RFC 1918)
+zone "10.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "16.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "17.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "18.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "20.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "21.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "22.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "23.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "24.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "25.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "26.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "27.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "28.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "29.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "30.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "31.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "168.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3330 and 3927)
+zone "254.169.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// TEST-NET for Documentation (RFC 3330)
+zone "2.0.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Router Benchmark Testing (RFC 2544)
+zone "18.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Old Class E Space
+zone "240.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "241.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "242.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "243.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "244.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "245.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "246.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "247.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "248.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "249.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "250.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "251.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "252.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "253.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "254.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "c.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 ULA (RFC 4193)
+zone "c.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Link Local (RFC 4291)
+zone "8.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFC 3879)
+zone "c.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "f.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"			{ type master; file "master/empty.db"; };
+
 // NB: Do not use the IP addresses below, they are faked, and only
 // serve demonstration/documentation purposes!
 //
 // Example slave zone config entries.  It can be convenient to become
 // a slave at least for the zone your own domain is in.  Ask
 // your network administrator for the IP address of the responsible
-// primary.
+// master name server.
 //
-// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
-// (This is named after the first bytes of the IP address, in reverse
-// order, with ".IN-ADDR.ARPA" appended.)
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
 //
-// Before starting to set up a primary zone, make sure you fully
-// understand how DNS and BIND works.  There are sometimes
-// non-obvious pitfalls.  Setting up a slave zone is simpler.
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
 
-/* An example master zone
-zone "example.net" {
-	type master;
-	file "master/example.net";
-};
-*/
-
 /* An example dynamic zone
 key "exampleorgkey" {
-        algorithm hmac-md5;
-        secret "sf87HJqjkqh8ac87a02lla==";
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
 };
 zone "example.org" {
 	type master;
@@ -108,14 +259,7 @@ zone "example.org" {
 };
 */
 
-/* Examples of forward and reverse slave zones
-zone "example.com" {
-	type slave;
-	file "slave/example.com";
-	masters {
-		192.168.1.1;
-	};
-};
+/* Example of a slave reverse zone
 zone "1.168.192.in-addr.arpa" {
 	type slave;
 	file "slave/1.168.192.in-addr.arpa";