// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//

options {
	directory "/etc/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you might need to uncomment the query-source
	// directive below.  Previous versions of BIND always asked
	// questions using port 53, but BIND 8.1 and later use an unprivileged
	// port by default.

	// query-source address * port 53;

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;    # conform to RFC1035

};

// define a key - you should really change the secret since
// all Debian boxes everywhere will have the same secret 
key "key" {
	algorithm       hmac-md5;
	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

// fortunately, using this control statement, we restrict access
// to the control port 953/tcp to only the localhost and we
// configure named to listen to 953 only on the lo interface
controls {
	inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };

};

// prime the server with knowledge of the root servers
// beet is the ROOT, so it actually loads the zone, not the hints.
zone "." {
	type master;
	file "/etc/bind/db...signed";
};

trusted-keys {
	. 256 3 1 "AQOr2tzOGZzBbIbdEsp1ENtMtNniryEiobGUFjBDQoim9jBy1q7VUan2hJ+60eIrM1oCF6jyF2fFrnOgYRnZ0zpj"; // key id = 54074
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "root-servers.net" {
	type master;
	file "/etc/bind/db.root-servers.net..signed";
};

// this is machine beet, which has, according to testing/doc/dns_hier.fig,
// the following domains:

//   . (taken care of above)
//   arpa.
//   freeswan.org.
//   192.in-addr.arpa.
//   1.0.192.in-addr.arpa.
//   2.0.192.in-addr.arpa.
//   3.0.192.in-addr.arpa.
//   4.0.192.in-addr.arpa.
//   2.1.192.in-addr.arpa.
//   3.1.192.in-addr.arpa.
//   4.1.192.in-addr.arpa.

// freeswan.org zone
zone "freeswan.org" {
	type master;
	file "/etc/bind/db.freeswan.org..signed";
};

// arpa. zone
zone "arpa" {
	type master;
	file "/etc/bind/db.arpa..signed";
};

// 192.in-addr.arpa. zone
zone "192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.192.in-addr.arpa..signed";
};

// west subnet
zone "1.0.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.1.0.192.in-addr.arpa..signed";
};

// east subnet
zone "2.0.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.2.0.192.in-addr.arpa..signed";
};

// south subnet
zone "3.0.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.3.0.192.in-addr.arpa..signed";
};

// north subnet
zone "4.0.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.4.0.192.in-addr.arpa..signed";
};

// public internet
zone "2.1.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.2.1.192.in-addr.arpa..signed";
};

// north internet 
zone "3.1.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.3.1.192.in-addr.arpa..signed";
};

// south internet 
zone "4.1.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.4.1.192.in-addr.arpa..signed";
};


// add entries for other zones below here