7 files changed, 215 insertions, 119 deletions
diff --git a/etc/namedb/PROTO.localhost-v6.rev b/etc/namedb/PROTO.localhost-v6.rev
deleted file mode 100644
index 1616771235d5..000000000000
--- a/etc/namedb/PROTO.localhost-v6.rev
+++ /dev/null
@@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-	IN	PTR	localhost.@domain@.
diff --git a/etc/namedb/PROTO.localhost.rev b/etc/namedb/PROTO.localhost.rev
deleted file mode 100644
index 046868305455..000000000000
--- a/etc/namedb/PROTO.localhost.rev
+++ /dev/null
@@ -1,17 +0,0 @@
-;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
-; $FreeBSD$
-;
-; This file is automatically edited by the `make-localhost' script in
-; the /etc/namedb directory.
-;
-
-$TTL	3600
-
-@	IN	SOA	@host@. root.@host@.  (
-				@date@	; Serial
-				3600	; Refresh
-				900	; Retry
-				3600000	; Expire
-				3600 )	; Minimum
-	IN	NS	@host@.
-1	IN	PTR	localhost.@domain@.
diff --git a/etc/namedb/make-localhost b/etc/namedb/make-localhost
deleted file mode 100755
index 60fbe49441ab..000000000000
--- a/etc/namedb/make-localhost
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD$
-#
-# make-localhost - edit the appropriate local information into
-# /etc/namedb/localhost.rev
-#
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
-export PATH
-
-if [ "`hostname -s`" != "`hostname`" ]; then
-	# hostname must contain domain
-
-	host=`hostname -s`
-	fullhost=`hostname`
-	domain=`echo $fullhost | sed "s/^$host\.//"`
-else
-	host=`hostname`
-
-	if [ -z "$1" ]; then
-		echo -n 'Enter your domain name: '
-		read domain
-	else
-		domain="$1"
-	fi
-
-	# strip trailing dot, if any
-	domain=`echo $domain | sed 's/\.$//'`
-	fullhost="$host.$domain"
-fi
-
-date=`date +"%Y%m%d"`
-
-mkdir -p master
-
-mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null
-
-sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost-v6.rev > master/localhost-v6.rev
-
-mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null
-
-exec sed -e "s/@host@/$fullhost/g" \
-	-e "s/@domain@/$domain/g" \
-	-e "s/@date@/$date/g" \
-	< PROTO.localhost.rev > master/localhost.rev
diff --git a/etc/namedb/master/empty.db b/etc/namedb/master/empty.db
new file mode 100644
index 000000000000..070f6634825a
--- /dev/null
+++ b/etc/namedb/master/empty.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+@	NS	@
+
+; Silence a BIND warning
+@	A	127.0.0.1
diff --git a/etc/namedb/master/localhost-forward.db b/etc/namedb/master/localhost-forward.db
new file mode 100644
index 000000000000..9156d2f09978
--- /dev/null
+++ b/etc/namedb/master/localhost-forward.db
@@ -0,0 +1,11 @@
+
+; $FreeBSD$
+
+$TTL 3h
+localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+	A	127.0.0.1
+	AAAA	::1
diff --git a/etc/namedb/master/localhost-reverse.db b/etc/namedb/master/localhost-reverse.db
new file mode 100644
index 000000000000..ceabe059ba77
--- /dev/null
+++ b/etc/namedb/master/localhost-reverse.db
@@ -0,0 +1,13 @@
+
+; $FreeBSD$
+
+$TTL 3h
+@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
+	; Serial, Refresh, Retry, Expire, Neg. cache TTL
+
+	NS	localhost.
+
+1.0.0	PTR	localhost.
+
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
+
diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 4a7772fe13b0..7c51ae6e6094 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -9,6 +9,7 @@
 // or cause huge amounts of useless Internet traffic.
 
 options {
+	// Relative to the chroot directory, if any
 	directory	"/etc/namedb";
 	pid-file	"/var/run/named/pid";
 	dump-file	"/var/dump/named_dump.db";
@@ -28,7 +29,7 @@ options {
 // server to never initiate queries of its own, but always ask its
 // forwarders only, by enabling the following line:
 //
-//      forward only;
+//	forward only;
 
 // If you've got a DNS server around at your upstream provider, enter
 // its IP address here, and enable the line below.  This will make you
@@ -52,52 +53,202 @@ options {
 // first in your /etc/resolv.conf so this server will be queried.
 // Also, make sure to enable it in /etc/rc.conf.
 
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	If you do not wish to slave these zones from the root servers
+	use the entry below instead.
+	zone "." { type hint; file "named.root"; };
+*/
 zone "." {
-	type hint;
-	file "named.root";
+	type slave;
+	file "slave/root.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
-
-zone "0.0.127.IN-ADDR.ARPA" {
-	type master;
-	file "master/localhost.rev";
+zone "arpa" {
+	type slave;
+	file "slave/arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
-
-// RFC 3152
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
-	type master;
-	file "master/localhost-v6.rev";
+zone "in-addr.arpa" {
+	type slave;
+	file "slave/in-addr.arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+		192.228.79.201;	// B.ROOT-SERVERS.NET.
+		192.33.4.12;	// C.ROOT-SERVERS.NET.
+		192.112.36.4;	// G.ROOT-SERVERS.NET.
+		193.0.14.129;	// K.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
 
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFC 1912
+zone "localhost"	{ type master; file "master/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address
+zone "0.ip6.arpa"	{ type master; file "master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912 and 3330)
+zone "0.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Unlikely to ever be assigned
+zone "1.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "2.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "223.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Public Data Networks (RFC 3330)
+zone "14.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// Private Use Networks (RFC 1918)
+zone "10.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "16.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "17.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "18.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "20.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "21.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "22.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "23.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "24.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "25.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "26.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "27.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "28.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "29.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "30.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "31.172.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "168.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3330 and 3927)
+zone "254.169.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// TEST-NET for Documentation (RFC 3330)
+zone "2.0.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// Router Benchmark Testing (RFC 2544)
+zone "18.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+zone "19.192.in-addr.arpa"	{ type master; file "master/empty.db"; };
+
+// IANA Reserved - Old Class E Space
+zone "240.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "241.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "242.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "243.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "244.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "245.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "246.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "247.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "248.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "249.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "250.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "251.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "252.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "253.in-addr.arpa"		{ type master; file "master/empty.db"; };
+zone "254.in-addr.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "c.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "8.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "0.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "1.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "2.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "3.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "4.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "5.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "6.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "7.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 ULA (RFC 4193)
+zone "c.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Link Local (RFC 4291)
+zone "8.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "9.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "a.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "b.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFC 3879)
+zone "c.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "d.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "e.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+zone "f.e.f.ip6.arpa"		{ type master; file "master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"			{ type master; file "master/empty.db"; };
+
 // NB: Do not use the IP addresses below, they are faked, and only
 // serve demonstration/documentation purposes!
 //
 // Example slave zone config entries.  It can be convenient to become
 // a slave at least for the zone your own domain is in.  Ask
 // your network administrator for the IP address of the responsible
-// primary.
+// master name server.
 //
-// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
-// (This is named after the first bytes of the IP address, in reverse
-// order, with ".IN-ADDR.ARPA" appended.)
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
 //
-// Before starting to set up a primary zone, make sure you fully
-// understand how DNS and BIND works.  There are sometimes
-// non-obvious pitfalls.  Setting up a slave zone is simpler.
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
 
-/* An example master zone
-zone "example.net" {
-	type master;
-	file "master/example.net";
-};
-*/
-
 /* An example dynamic zone
 key "exampleorgkey" {
-        algorithm hmac-md5;
-        secret "sf87HJqjkqh8ac87a02lla==";
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
 };
 zone "example.org" {
 	type master;
@@ -108,14 +259,7 @@ zone "example.org" {
 };
 */
 
-/* Examples of forward and reverse slave zones
-zone "example.com" {
-	type slave;
-	file "slave/example.com";
-	masters {
-		192.168.1.1;
-	};
-};
+/* Example of a slave reverse zone
 zone "1.168.192.in-addr.arpa" {
 	type slave;
 	file "slave/1.168.192.in-addr.arpa";