include "/etc/bind/rndc.key";
include "/etc/bind/tsig.key";

controls  {
  inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options  {
  directory "/var/cache/bind";

  recursion yes;
  allow-query { any; };
  dnssec-enable yes;
  dnssec-validation yes;

  empty-zones-enable yes;

  notify yes;
{% if 'address' in ansible_facts.default_ipv6
       and 'scope' in ansible_facts.default_ipv6
       and ansible_facts.default_ipv6.scope == 'global' %}
  listen-on-v6 { {{ ansible_facts.default_ipv6.address }}; };
{% endif %}

  allow-recursion { localnets; localhost; };

  allow-transfer { key tsig; };
  also-notify {
  {% for host in dns_notify %}
    {{ host }};
  {% endfor %}
  };

{% if 'address' in ansible_facts.default_ipv4 %}
  listen-on { {{ ansible_facts.default_ipv4.address }}; };
{% endif %}
};

include "/etc/bind/zones.rfc1918";

{% for zone in dns_zones %}
zone {{ zone.name }} {
  type master;
  file "/var/lib/bind/zones/{{ zone.name }}/zone.db";
  key-directory "/etc/bind/keys/{{ zone.name }}";
  auto-dnssec maintain;
  inline-signing yes;
};
{% endfor %}