# Comment
// Comment
/* Comment */

# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/Bv9ARM.pdf
# FIXME-DOCS(Krey): Provide best practices reference

# NOTE(Krey): The key has to be included in named.conf 
include "/etc/bind/secret.rndc-key"

options {
	// Set directory CWD (Current Working Directory)
	directory "/var/named/bind";

	// Path configuration
	dump-file "/bind_dump.db";              // _PATH_DUMPFILE
	pid-file "/run/named/bind.pid";                  // _PATH_PIDFILE
	statistics-file "bind.stats";          // _PATH_STATS
	memstatistics-file "bind.memstats";    // _PATH_MEMSTATS

	// Sets Random Device
	random-device "/dev/random";

	// uncomment the following lines to turn on DNS forwarding,
	// and change the forwarding ip address(es) :
	//forward first;
	//forwarders {
	//	123.123.123.123;
	//	123.123.123.123;
	//};

	# NOTE(Krey): Open port 53 reserved for name deamon
	listen-on port 53 { any; };

	# NOTE(Krey): Close IPv6 ports as current dotya.ml doesn't have IPv6
	listen-on-v6 { none; };

	# NOTE(Krey): Set this to allow only specific hosts to use the recursive server
	//allow-query {
	//	127.0.0.1;
	//};

	// Cache configuration
	min-cache-ttl "60";
	max-cache-ttl "600";

	# NOTE(Krey): Disable recursion server as it's not needed
	recursion no;

	// if you have problems and are behind a firewall:
	//query-source address * port 53;

	// NOTE(Krey): Set the PID file location
	pid-file "/run/named/bind.pid";

	// DNSSEC validation
	dnssec-validation "auto";

	// Automatically sign zones
	auto-dnssec "maintain";
};

controls {
   inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
   channel named_log{
      file "/var/log/named/bind.log" versions 3 size 2m;
      severity info;
      print-severity yes;
      print-time yes;
      print-category yes;
   };
   category default {
      named_log;
   };
   category lame-servers {
      null;
   };
};


// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info

zone "dotya.ml" {
	type master;
	file "/etc/bind/zonefiles/ml/dotya/master.zonefile.signed";
	key-directory "/var/cache/named/bind/keys/ml/dotya/";
	update-policy {
		grant ddns-key zonesub ANY;
	};
	allow-transfer {
		// Current Server IP
		144.91.70.62;
	};
	allow-update { 144.91.70.62; };
	inline-signing yes;
	dnssec-dnskey-kskonly yes;
	# expiration time 21d, refresh period 16d
	sig-validity-interval 21 16;
	auto-dnssec maintain;
	serial-update-method unixtime;
};

zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };

zone "." IN {
	type hint;
	file "named.cache";
};

zone "localhost" IN {
	type master;
	file "pri/localhost.zone";
	allow-update { none; };
	notify no;
};

zone "127.in-addr.arpa" IN {
	type master;
	file "pri/127.zone";
	allow-update { none; };
	notify no;
};