system-config/playbooks/roles/nameserver/templates/nsd.conf.j2

server:
{% if 'address' in ansible_facts.default_ipv4 %}
    ip-address: {{ ansible_facts.default_ipv4.address }}
{% endif %}
{% if 'address' in ansible_facts.default_ipv6 %}
    ip-address: {{ ansible_facts.default_ipv6.address }}
{% endif %}
    ip-transparent: no
    debug-mode: no
    database: /var/lib/nsd/nsd.db
    identity: {{ inventory_hostname }}
    server-count: 1
    tcp-count: 250
    tcp-query-count: 0
    ipv4-edns-size: 4096
    ipv6-edns-size: 4096
    pidfile: /run/nsd/nsd.pid
    port: 53
    username: nsd
    zonesdir: /var/lib/nsd
    xfrdfile: /var/lib/nsd/xfrd.state
    xfrd-reload-timeout: 1
    verbosity: 0
    hide-version: no
    rrl-size: 1000000
    rrl-ratelimit: 200
    rrl-slip: 2
    rrl-ipv4-prefix-length: 24
    rrl-ipv6-prefix-length: 64
    rrl-whitelist-ratelimit: 4000
key:
    name: tsig
    algorithm: {{ tsig_key.algorithm }}
    secret: {{ tsig_key.secret }}
{% for zone in dns_zones %}
zone:
    name: {{ zone.name }}
    allow-notify: {{ dns_master }} NOKEY
    request-xfr: AXFR {{ dns_master }} tsig
{% endfor %}