# $NetBSD: named.conf,v 1.10 2020/10/11 22:14:55 jnemeth Exp $

# boot file for secondary name server
# Note that there should be one primary entry for each SOA record.
# If you cannot get DNSSEC to work, and you see the following message:
# DNSKEY: verify failed due to bad signature (keyid=19036): \
# RRSIG validity period has not begun 
# Fix your clock. You can comment out the dnssec entries temporarily to
# get to an ntp server.

options {
	directory "/etc/namedb";
	dnssec-enable yes;
	dnssec-validation auto;
	managed-keys-directory "keys";
	bindkeys-file "bind.keys";
	allow-recursion { localhost; localnets; };
	max-udp-size 1220;
	edns-udp-size 1220;

	#
	# This forces all queries to come from port 53; might be
	# needed for firewall traversals but should be avoided if
	# at all possible because of the risk of spoofing attacks.
	#
	#query-source address * port 53;
};

zone "." {
	type hint;
	file "root.cache";
};

zone "localhost" {
	type master;
	file "localhost";
};

zone "127.IN-ADDR.ARPA" {
	type master;
	file "127";
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
	type master;
	file "loopback.v6";
};

# example secondary server config:
#
# zone "Berkeley.EDU" {
# 	type slave;
# 	file "berkeley.edu.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type slave;
# 	file "128.32.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };

# example primary server config:
# 
# zone "Berkeley.EDU" {
# 	type master;
# 	file "berkeley.edu";
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type master;
# 	file "128.32";
# };