{{ ansible_header | comment(decoration='// ') }}

// Listes d'acces
acl "isolement" { 10.52.0.0/16; };
acl "accueil" { 10.51.0.0/16; };
acl "switches" { 10.231.100.0/24; };
acl "event" { 10.231.137.0/24; 2a0c:700:0:10::/64; };
acl "fil-new" { 10.54.1.0/24; 10.54.2.0/23; 10.54.4.0/22; 10.54.8.0/21; 10.54.16.0/21; 10.54.24.0/23; 10.54.0.0/24; 2a0c:700:0:21::/64; };
acl "wifi-new" { 10.53.1.0/24; 10.53.2.0/23; 10.53.4.0/22; 10.53.8.0/21; 10.53.16.0/22; 10.53.20.0/24; 10.53.0.0/24; 10.53.21.0/24; 10.53.22.0/23; 10.53.24.0/23; 2a0c:700:0:22::/64; };
acl "crans" { 2a0c:700:0:1::/64; 138.231.137.0/24; 138.231.138.0/23; 138.231.140.0/22; 185.230.77.0/24; 2a0c:700:0:21::/64; 2a0c:700:0:23::/64; 185.230.78.0/24; 185.230.76.0/24; 2a0c:700:0:22::/64; 138.231.136.0/24; };
acl "cransadm" { 2a0c:700:0:2::/64; 10.231.136.0/24; };
acl "bornes" { fd01:240:fe3d:3::/64; 10.231.148.0/24; };
options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    // 	0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================


    allow-query-cache { 127.0.0.1; crans; cransadm; bornes; };
    allow-recursion { 127.0.0.1; crans; cransadm; bornes; };
    notify no;
    allow-transfer { "none"; };
    recursive-clients 5000;
    allow-query { any; };
    auth-nxdomain no; # conform to RFC1035

    listen-on { any; };
    listen-on-v6 { any; };

    dnssec-enable no;
    dnssec-validation no;
};
logging{
    // Remove "REFUSED unexpected RCODE resolving" from the logfile
    category lame-servers { null; };
};
// to allow for rndc flush
include "/etc/bind/rndc.key";

controls {
    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
};