network/salt/bind/named.conf

# Slaves rely on static IPv4 addrs over dn42. Do not contact them over
# their public addrs because our source addr is dynamic!
{% macro slaves() -%}
{%-  if pillar['bind']['slaves'] -%}
    allow-transfer {
{%-    for addr in pillar['bind']['slaves'] -%}
        {{ addr }};
{%-    endfor -%}
    };
    also-notify {
{%-    for addr in pillar['bind']['slaves'] -%}
        {{ addr }};
{%-    endfor -%}
    };
{%-  endif -%}
{%- endmacro %}

# root domain
{%- for ctx, root_domain in pillar['bind']['root-domain'].items() %}
zone "{{ root_domain }}" IN {
     type master;
     file "/etc/bind/{{ root_domain }}.zone";
     {{ slaves() }}
};

# net zones
{%-   for net, subnet4 in pillar['subnets-inet'].items() %}
{%-     set domain = net ~ '.' ~ root_domain %}
zone "{{ domain }}" IN {
     type master;
     file "/etc/bind/{{ domain }}.zone";
     {{ slaves() }}
};
{%-   endfor %}
{%- endfor %}

# IPv4 reverse zones
{%- for domain in pillar['bind']['reverse-zones-inet'] %}
zone "{{ domain }}" IN {
     type master;
     file "/etc/bind/{{ domain }}.zone";
};
{%- endfor %}

# IPv6 reverse zones
{%- for ctx, domains in pillar['bind']['reverse-zones-inet6'].items() %}
{%-   for domain in domains %}
zone "{{ domain }}" IN {
     type master;
     file "/etc/bind/{{ domain }}.zone";
     {{ slaves() }}
};
{%-   endfor %}
{%- endfor %}


# DynDNS
{%- for name, conf in pillar['dyndns'].items() %}
key "{{ name }}" {
    algorithm hmac-sha256;
    secret "{{ conf['secret'] }}";
};
{%- endfor %}

# DynDNS zone
{%- set domain = 'dyn.' ~ pillar['bind']['root-domain']['up1'] %}
zone "{{ domain }}" IN {
     type master;
     file "/etc/bind/{{ domain }}.zone";
     {{ slaves() }}
     update-policy {
{%- for name, conf in pillar['dyndns'].items() %}
        grant {{ name }} name {{ name }}.{{ domain }} ANY;
{%- endfor %}
     };
};