//
// Bind options (Salt managed)
//

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	// forwarders {
	//	0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	// Disable DNSSEC validation as it will FAIL for all ffXY domains which will
	// render them unuseable. As bind can only be run in all-on or all-off mode
	// this seems to be our only chance for now :-(
	dnssec-validation no;

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };

	allow-recursion {
		127.0.0.0/8;
		::1/128;

		// Entries from pillar
{%- for entry in salt['pillar.get']('dns-server:auth:allow-recursion', []) %}
		{{ entry }};
{%- endfor %}
	};

	// Disable notifies on non-master DNS
	notify no;

	version "Freifunk Hochstift DNS";
	use-v4-udp-ports { range 1024 65535; };
	use-v6-udp-ports { range 1024 65535; };
};

// Allow scraping by bind-exporter
statistics-channels {
	inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};