# TODO TSIG keys
# TODO DNSSEC
# TODO also-notify our secondary servers 

options {
	directory "/var/cache/bind";

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	listen-on-v6 { any; };

	recursion no;

	{% if secondary is defined %}
	catalog-zones {
	    in-memory no;
	    zone-directory /etc/bind/peers;
	    {% for ns in secondary %}
	    zone "{{ ns }}.catalog";
	    {% endfor %}
	}
	{% endif %}
};