// vi:ft=named noexpandtab include "/etc/bind/rndc.key"; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== options { directory "/etc/bind/local/zones"; managed-keys-directory "/etc/bind/local/managed-keys"; bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( dnssec-validation no; // AWS resolvers return invalid zone signatures zone-statistics full; // Track full stats for prometheus export masterfile-format text; // Write zonefiles in text even for secondary zones auth-nxdomain no; // conform to RFC1035 notify master-only; // don't send NOTIFY from secondaries version none; hostname none; // Force TCP if response would be larger than IPv6 fragment size // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ max-udp-size 1220; edns-udp-size 1220; // Allow more transfers at once to improve secondary convergence transfers-in 50; transfers-out 50; listen-on { any; }; listen-on-v6 { any; }; allow-update-forwarding { any; }; // Typically this ACL is empty but exists so that it can be populated // during an attack to block bad clients. blackhole { blackhole-clients; }; allow-notify { internal-keys; external-keys; }; allow-recursion { internal-nets; localhost; }; allow-transfer { internal-nets; localhost; }; }; statistics-channels { inet 127.0.0.1 port 8053 allow { localhost; }; inet ::1 port 8053 allow { localhost; }; }; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; inet ::1 allow { localhost; } keys { "rndc-key"; }; }; acl internal-nets { // Internal RFC1918 172.16.0.0/12; // Unknown? Maybe Docker bridge? 192.168.255.0/24; // Pomona ARIN 23.149.16.0/24; 2602:0803:4000::/40; // AWS 2600:1f14:f39:e000::/56; 2600:1f16:33:500::/56; 2a05:d01c:7ba:b800::/56; }; include "/etc/bind/local/named.conf";