// vi:ft=named noexpandtab

include "/etc/bind/rndc.key";

options {
	directory "/etc/bind/local/cache";
	bindkeys-file "/etc/bind/bind.keys";

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================

	// mcrute: disable dnssec because the AWS resolvers return invalid zone
	// signatures
	dnssec-validation no;

	zone-statistics full;

	auth-nxdomain no;    # conform to RFC1035
	notify master-only;  # don't send NOTIFY from secondaries

	version none;
	hostname none;

	listen-on {
		any;
	};

	listen-on-v6 {
		any;
	};

	allow-update-forwarding {
		any;
	};

	allow-notify {
		all-dns-servers;
	};

	allow-recursion {
		internal-nets;
		localhost;
	};

	allow-transfer {
		internal-nets;
		localhost;
	};

	// Force TCP if response would be larger than IPv6 fragment size
	// see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
	max-udp-size 1220;
	edns-udp-size 1220;

	// Allow more transfers at once to improve secondary convergence
	transfers-in 50;
	transfers-out 50;
};

statistics-channels {
	inet 127.0.0.1 port 8053 allow { localhost; };
	inet ::1 port 8053 allow { localhost; };
};

controls {
	inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
	inet ::1 allow { localhost; } keys { "rndc-key"; };
};

include "/etc/bind/named_local.conf";