# Relevant: https://kb.isc.org/docs/aa-00711

options {
	// Krey: Set directory for bind
	directory "/bedrock/strata/exherbo/var/bind";

	// Krey: Sets Random Device
	random-device "/dev/random";

	key-directory "/bedrock/strata/exherbo/var/cache/bind/keys";

	// uncomment the following lines to turn on DNS forwarding,
	// and change the forwarding ip address(es) :
	//forward first;
	//forwarders {
	//	123.123.123.123;
	//	123.123.123.123;
	//};

	listen-on port 53 { any; };

	listen-on-v6 { none; };
		listen-on { 127.0.0.1; };

	// to allow only specific hosts to use the DNS server:
	//allow-query {
	//	127.0.0.1;
	//};

	// if you have problems and are behind a firewall:
	//query-source address * port 53;
	pid-file "/bedrock/strata/exherbo/run/named/named.pid";
};

#controls {
#    inet 127.0.0.1 port 953
#        allow { 127.0.0.1; } keys { "/etc/bind/rndc.key"; };
#};

logging {
   channel named_log{
      file "/var/log/named/bind.log" versions 3 size 2m;
      severity info;
      print-severity yes;
      print-time yes;
      print-category yes;
   };
   category default {
      named_log;
   };
   category lame-servers {
      null;
   };
};


// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info

zone "rixotstudio.cz" {
	type master;
	file "/bedrock/strata/exherbo/etc/bind/master/rixotstudio.cz";
	update-policy {
		grant ddns-key zonesub ANY;
	};
	allow-transfer {
		// Current Server IP
		213.220.230.81;
		// Wedos - Secondary DNS
		46.28.104.67;
	};
	#allow-update { 213.220.230.81; };
	inline-signing yes;
	# Only sign DNSKEY with KSK
	dnssec-dnskey-kskonly yes;
	# expiration time 21d, refresh period 16d
	sig-validity-interval 21 16;
	auto-dnssec maintain;
	serial-update-method unixtime;
};

zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };

zone "." IN {
	type hint;
	file "named.cache";
};

zone "localhost" IN {
	type master;
	file "pri/localhost.zone";
	allow-update { none; };
	notify no;
};

zone "127.in-addr.arpa" IN {
	type master;
	file "pri/127.zone";
	allow-update { none; };
	notify no;
};