-- {{ ansible_managed }}

setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')

-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})

{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from secondary
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}

-- allow NOTIFY only from primary
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))

-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))

-- function to set RA flag
function setRA(dq)
  dq.dh:setRA(true)
  return DNSResponseAction.None
end

-- set RA flag for queries to own zones
addResponseAction('binary.kitchen', LuaResponseAction(setRA))
addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))

-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))

-- disable security status polling via DNS
setSecurityPollSuffix('')