/*
 * Refer to the named.conf(5) and named(8) man pages, and the documentation
 * in /usr/share/doc/bind-* for more details.
 * Online versions of the documentation can be found here:
 * https://kb.isc.org/article/AA-01031
 *
 * If you are going to set up an authoritative server, make sure you
 * understand the hairy details of how DNS works. Even with simple mistakes,
 * you can break connectivity for affected parties, or cause huge amounts of
 * useless Internet traffic.
 */

options {
	directory "{{ map.get('named_directory') }}";
	pid-file "/run/named/named.pid";

	bindkeys-file "/etc/bind/bind.keys";

{%- if salt['pillar.get']('bind:config:ipv6', False) %}
	listen-on-v6 { {{ salt['pillar.get']('bind:config:ipv6_listen', 'any') }}; };
{%- endif %}

	listen-on { 127.0.0.1; };

{%- for statement, value in salt['pillar.get']('bind:config:options', {})|dictsort -%}
	{%- if value is iterable and value is not string %}
	{{ statement }} {
		{%- for item in value %}
			  {{ item }};
		{%- endfor %}
	};
	{%- else %}
	{{ statement }} {{ value }};
	{%- endif %}
{%- endfor %}
};

{% for incl in salt['pillar.get']('bind:config:includes', []) %}
include "{{ incl }}";
{% endfor %}


{%- if salt['pillar.get']('bind:controls', False) %}
controls {
	{%- for name, control in salt['pillar.get']('bind:controls')|dictsort if control.get('enabled', True) %}
	inet {{ control.get('bind', {}).get('address', '127.0.0.1') }} port {{ control.get('bind', {}).get('port', 953) }}
	{%- if control.get('allow') %}
	allow {
		{%- for allow in control.allow %}
		{{ allow }};
		{%- endfor %}
	}
	{%- endif %}
	{%- if control.get('keys') %}
	keys {
		{%- for key in control.get('keys') %}
		{{ key }};
		{%- endfor %}
	}
	{%- endif %};
	{%- endfor %}

};
{%- endif %}

zone "." in {
	type hint;
	file "/var/bind/named.cache";
};

zone "localhost" IN {
	type master;
	file "pri/localhost.zone";
	notify no;
};

/*
 * Briefly, a zone which has been declared delegation-only will be effectively
 * limited to containing NS RRs for subdomains, but no actual data beyond its
 * own apex (for example, its SOA RR and apex NS RRset). This can be used to
 * filter out "wildcard" or "synthesized" data from NAT boxes or from
 * authoritative name servers whose undelegated (in-zone) data is of no
 * interest.
 * See http://www.isc.org/software/bind/delegation-only for more info
 */

//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {
//	type master;
//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
//	allow-query { any; };
//	allow-transfer { xfer; };
//};

//zone "YOUR-SLAVE.TLD" {
//	type slave;
//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
//	masters { <MASTER>; };

	/* Anybody is allowed to query but transfer should be controlled by the master. */
//	allow-query { any; };
//	allow-transfer { none; };

	/* The master should be the only one who notifies the slaves, shouldn't it? */
//	allow-notify { <MASTER>; };
//	notify no;
//};

include "{{ map.local_config }}";