// named.conf — authoritative-only configuration for {{ base_domain }}
// Managed by Ansible — do not edit manually.

options {
    directory "/var/cache/bind";

    // Authoritative only — no recursion to prevent DNS amplification attacks
    recursion no;
    allow-recursion { none; };

    // Accept queries from any source
    allow-query { any; };

    // Only allow zone transfers to trusted hosts (none by default)
    allow-transfer { none; };

    // Listen on all interfaces
    listen-on { any; };
    listen-on-v6 { any; };

    dnssec-validation no;
};

// Authoritative zone for the base domain
zone "{{ base_domain }}" IN {
    type master;
    file "/var/lib/bind/{{ base_domain }}.zone";
    allow-update { none; };
};