From 78d82029f08749eb11d9f1d86b4dbd5d4b8969bc Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 26 Apr 2020 19:39:52 +0200
Subject: [PATCH] Fix master/slave certbot in bind

---
 .../templates/bind/named.conf.local.j2          | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 4b689c76..12b3dce4 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -20,8 +20,8 @@ key "certbot_challenge." {
 
 // Let's Encrypt Challenge DNS-01 zone
 zone "_acme-challenge.crans.org" {
+	{% if is_master -%}
 	type master;
-	file "bak._acme-challenge.crans.org";
 	allow-transfer {
 		{% for ip in slaves_ipv4 -%}
 		{{ ip }};
@@ -30,6 +30,21 @@ zone "_acme-challenge.crans.org" {
 		{{ ip }};
 	{% endfor -%}
 	};
+	notify yes;
+	{% else -%}
+	type slave;
+	masters {
+		{% for ip in masters_ipv4 -%}
+		{{ ip }};
+		{% endfor -%}
+		{% for ip in masters_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
+	};
+	allow-transfer { "none"; };
+	notify no;
+	{% endif -%}
+	file "bak.{{ zone }}";
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.crans.org txt;
 	};