options {
  directory "/var/cache/bind";
  recursion no;
};

key "acme-key" {
  algorithm hmac-sha512;
  secret "{{ bind_acme_key }}";
};
key "update-key" {
  algorithm hmac-sha512;
  secret "{{ bind_update_key }}";
};

{% for domain in bind_zones.keys() %}
zone "{{ domain }}" in {
  type {{ 'master' if inventory_hostname in groups.bindmaster else 'slave' }};
  file "{{ domain }}.zone";

  {% if inventory_hostname in groups.bindmaster %}
  update-policy {
    grant acme-key name _acme-challenge.{{ domain }}. txt;
  };
  also-notify {
    {% for server in groups.bindslave %}
    {{ hostvars[server].ansible_default_ipv6.address }};
    {% endfor %}
  };
  allow-transfer {
    key update-key;
  };
  {% else %}
  masters {
    {% for server in groups.bindmaster %}
    {{ hostvars[server].ansible_default_ipv6.address }} key "update-key";
    {% endfor %}
  };
  {% endif %}

};
{% endfor %}