# default options - https://bind9.readthedocs.io/en/latest/chapter3.html
options {
  version "9";
  listen-on { any; };
  listen-on-v6 { any; };
  zone-statistics yes;
  max-cache-size 60m;
  interface-interval 60;
  max-ncache-ttl 10800;
  max-udp-size 4096;
  forwarders { 1.1.1.1; 8.8.8.8; 8.8.4.4; };
  notify yes;
  allow-transfer { trusted; };
  transfer-format many-answers;
  allow-query { any; };
  allow-recursion { any; };
  allow-query-cache { any; };
  auth-nxdomain no;
  dnssec-validation auto;
  directory "/var/bind";
  managed-keys-directory "/etc/bind/keys";
  pid-file "/run/named/named.pid";
  dump-file "/data/logs/named/dump.db";
  statistics-file "/data/logs/named/named.stats";
  memstatistics-file "/data/logs/named/mem.stats";
};
#####################################################################
# access settings
acl "all" { 0.0.0.0/0; ::/0; };
acl "trusted" { 10.0.0.0/8; 127.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
#####################################################################
# named logging options
logging {
channel xfer-in { stderr; severity info; print-category yes; print-severity yes; print-time yes; };
channel xfer-out { stderr; severity info; print-category yes; print-severity yes; print-time yes; };
channel update { stderr; severity info; print-category yes; print-severity yes; print-time yes; };
channel notify { stderr; severity info; print-category yes; print-severity yes; print-time yes; };
channel querylog { stderr; severity info; print-time yes; };
channel security { file "/data/logs/named/security.log"; severity dynamic; print-severity yes; print-time yes; };
channel default { file "/data/logs/named/default.log"; severity debug; print-category yes; print-severity yes; print-time yes; };
channel debug { file "/data/logs/named/debug.log"; severity debug; };
category lame-servers { default; debug; };
category dispatch { default; debug; };
category queries { querylog; debug; };
category update { default; update; debug; };
category network { default; debug; };
category unmatched { default; debug; };
category client { default; debug; };
category notify { notify; debug; };
category xfer-out { xfer-out; debug; };
category xfer-in { xfer-in; debug; };
category resolver { default; debug; };
category config { default; debug; };
category security { security; debug; };
category database { default; debug; };
category general { default; debug; };
category default { default; };
category dnssec { security; debug; };
};
#####################################################################
# rndc keys
key "certbot." { algorithm hmac-sha256; secret "REPLACE_KEY_CERTBOT"; };
key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; };
key "dhcp-key" { algorithm hmac-sha256; secret "REPLACE_KEY_DHCP"; };
key "backup-key" { algorithm hmac-sha256; secret "REPLACE_KEY_BACKUP"; };
#####################################################################
# rndc settings
controls { inet 127.0.0.1 allow { trusted; } keys { "rndc-key"; }; };
#####################################################################
#  ********** begin root info **********
zone "." {
    type hint;
    file "/var/bind/root.cache";
};
#  ********** end root info **********
# end
#####################################################################