---

bind9_acls:
- name: internalnets
  permissions: []
  # - "111.222.111.222"

bind9_controls: []
# - acls:
#   - localhost
#   inet: "127.0.0.1"
#   port: "953"
#   tsig_keys:
#   - rndc

bind9_logging:
  categories:
  - name: "security"
    channels:
    - "security_file"
  channels:
  - name: "security_file"
    file:
      path: "/var/log/named/security.log"
      options: "versions 3 size 30m"
    severity: "dynamic"
    print_times: "yes"

bind9_options:
  allow_query: []
  allow_query_on: []
  allow_query_cache: []
  allow_query_cache_on: []
  allow_recursion:
  - "localhost"
  - "localnets"
  - "internalnets"
  allow_recursion_on: []
  allow_transfer: []
  allow_update: []
  allow_update_forwarding: []
  auth_nxdomain: false
  blackhole: []
  dnssec_accept_expired: false
  dnssec_validation: "auto"
  forwarders:
  - ip: "8.8.8.8"               # Google IPv4
    port: "53"
  - ip: "8.8.4.4"               # Google IPv4
    port: "53"
  - ip: "2001:4860:4860::8888"  # Google IPv6
    port: "53"
  - ip: "2001:4860:4860::8844"  # Google IPv6
    port: "53"
  - ip: "208.67.222.222"        # OpenDNS IPv4
    port: "53"
  - ip: "208.67.220.220"        # OpenDNS IPv4
    port: "53"
  - ip: "2620:0:ccc::2"         # OpenDNS IPv6
    port: "53"
  - ip: "2620:0:ccd::2"         # OpenDNS IPv6
    port: "53"
  interface_interval: 0
  key_directory: "/var/named/dnssec-keys"
  listen_on_ipv4:
  - "127.0.0.1"
  listen_on_ipv6:
  - "::1"
  max_transfer_time: "60"
  minimal_responses: "no"
  notify: "yes"
  recursion: "yes"
  update_policies: []
  # - action: grant
  #   identity: keyname
  #   ruletype: name
  #   name: _acme-challenge.example.com.
  #   types:
  #   - TXT

  transfer_format: "many-answers"

bind9_rndc_key:
  name: ""
  algorithm: ""
  secret: ""

bind9_dnssec_keys: []
# - origin: "hellenthal.cryptic.systems"
#   key_signing_key:
#     private:
#       filename: "{{ bind9_options.key_directory }}/example.com.private"
#       content: "private key"
#     public:
#       filename: "{{ bind9_options.key_directory }}/example.com.private"
#       content: "public key"
#   zone_signing_key:
#     private:
#       filename: "{{ bind9_options.key_directory }}/example.com.private"
#       content: "private key"
#     public:
#       filename: "{{ bind9_options.key_directory }}/example.com.private"
#       content: "public key"

bind9_statics:
  enabled: true
  channels:
  - inet: "127.0.0.1"
    port: "8053"
    acls:
    - "localhost"


bind9_tsigkeys: []
# - name: "name"
#   algorithm: "algorithm"
#   secret: "secret"

bind9_views: []
# - name: external
#   match_clients:
#   - "!internalnets"
#   - "any"
#   zones:
#   - config:
#       allow_notify: []
#       allow_query:
#       - "any"
#       allow_query_on: []
#       allow_update: []
#       allow_update_forwarding: []
#       allow_transfer: []
#       file: zones/external/db.local.example
#       origin: "example.local."
#       type: master
#       notify: true
#     file: zones/external/db.local.example
# - name: internal
#   match_clients:
#   - "!192.168.178.1"
#   - "internalnets"
#   - "127.0.0.0/8"
#   zones:
#   - config:
#       allow_notify: []
#       allow_query:
#       - "any"
#       allow_query_on: []
#       allow_update: []
#       allow_update_forwarding: []
#       allow_transfer: []
#       file: zones/internal/db.local.example
#       origin: "example.local."
#       type: master
#     file: zones/internal/db.local.example
#   - config:
#       allow_notify: []
#       allow_query: []
#       allow_query_on: []
#       allow_update: []
#       allow_update_forwarding: []
#       allow_transfer: []
#       forward: only
#       forwarders:
#       - 192.168.175.1
#       origin: "gitlab-runner.external.local"
#       type: forward
#     file: "gitlab-runner.external.local"