docs: Update author and company contact information

- Add Ansible collections configuration
- Update converge and prepare playbooks
- Restructure molecule.yml for improved testing

.gitlab-ci.yml

@@ -0,0 +1,22 @@
+---
+image: docker:stable-dind
+
+services:
+  - docker:dind
+
+before_script:
+  - apk add --no-cache
+    python3 python3-dev py3-pip gcc git curl build-base
+    autoconf automake py3-cryptography linux-headers
+    musl-dev libffi-dev openssl-dev openssh
+  - docker info
+  - python3 --version
+  - python3 -m pip install ansible molecule[docker]
+    ansible-lint
+  - ansible --version
+  - molecule --version
+
+molecule:
+  stage: test
+  script:
+    - molecule test

.travis.yml

@@ -1,35 +0,0 @@
----
-language: python
-python: "2.7"
-
-# Use the new container infrastructure
-sudo: required
-
-# Install ansible
-addons:
-  apt:
-    packages:
-    - python-pip
-
-install:
-  # Install ansible
-  - pip install ansible
-
-  # Check ansible version
-  - ansible --version
-
-  # Create ansible.cfg with correct roles_path
-  - printf '[defaults]\nroles_path=../' >ansible.cfg
-
-script:
-  # Basic role syntax check
-  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
-
-#notifications:
-#  webhooks: https://galaxy.ansible.com/api/v1/notifications/
-
-env:
-- distribution: debian
-  version: bullseye
-- distribution: ubuntu
-  version: jammy

README.md

@@ -13,7 +13,6 @@ What the role does not do:
 - Maintain every aspect of bind (rndc config, etc)
 - Auto-generate and manage your secrets 
 
-
 Bugs
 ----
 Or, as I call them "happy accidents".
@@ -24,10 +23,22 @@ Or, as I call them "happy accidents".
 Role Variables
 --------------
 
+General configuration
+=====================
+Review the [defaults](defaults/main.yml) for a full set of configurable parameters. Here are the most interesting ones:
+
+`bind9_backup_config: [true, false]`: Backup each named.conf.* file or not. Default is 'true'. This setting is useful for testing out configuration changes but can clutter up the destination directory quite a bit if used across many updates.
+
+`bind9_debug_config: [true, false]`: Print the resulting YAML configuration tree that was sent to the configuration template. Default is 'false'. Useful for comparing with the resulting named.conf files and comparing values.
+
+`bind9_config_indent: [integer]`: Indentation level for the configuration template. Default is '4'. Set this value to suit your style. Tabs are not supported.
+
+named.conf
+==========
 bind configuration is set through the various bind9_*_config parameters. These are, in order of precedence:
 1. bind9_default_config
 2. bind9_group_config
-3. bind9_leaf_config
+3. bind9_site_config
 4. bind9_host_config
 
 All these configuration parameters are merged in a way where each successing config supercedes the previous one at a config-file level. To illustrate:
@@ -48,7 +59,7 @@ bind9_group_config:
       - name: "."
         type: mirror
 
-bind9_leaf_config:
+bind9_site_config:
   - name: named.conf.local
     zone:
       - name: "."
@@ -62,6 +73,7 @@ bind9_config:
   - name: named.conf.options
     options:
       recursion: false
+      notify: primary-only
   - name: named.conf.local
     zone:
       - name: "."
@@ -69,21 +81,114 @@ bind9_config:
         file: /etc/share/dns/root.hints
 ```
 
-The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_leaf_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_leaf_config`.
+The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_site_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_site_config`.
+
+Configuration Grammar
+---------------------
+The bind9 role tries to replicate the official ISC bind9 configuration format as close as possible,
+only re-implementing them in YAML format. This means that for the most part,
+section names are the same as in named.conf but kebab-case ('var-name') is replaced with snake_case ('var_name')
+If you are missing some statements in your resulting config, it is most likely because of this.
+
+The main configuration variable used are a series of bind_*_config variables (See [Role Variables]) that have the following syntax
+
+Every config starts by defining the file name. Each file can contain any amount of top-level statements,
+as permitted by named.conf 
+
+```
+bind9_host_config:
+  - name: FILENAME # The filename of your desired config file.
+                   # You also need to specify a corresponding `include:` for the file
+    SECTION_NAME: # The section name of the bind config you want to define.
+                  # Can be 'acl', 'options', 'zone', etc.
+                  # See: https://bind9.readthedocs.io/en/v9_18_4/reference.html#configuration-file-grammar
+    SECTION_2_NAME: # Every file can have as many sections as needed. Generally, try to keep 
+                    # all definitions and references together in a file.
+```
+
+Any option that can be defined multiple times in a named.conf, must be defined as a list
+```
+bind9_host_config:
+  - name: named.conf.local
+    acl:
+      - name: ELEMENT_NAME
+        addresses: 
+          - 127.0.0.1
+          - 127.0.0.2
+      - name: ELEMENT_2_NAME
+        addresses:
+          - 127.0.0.3
+```
+
+Simple options are defined just as that.
+```
+      SIMPLE_OPTION: string, boolean or integer value
+```
+
+Some options have several optional parameters. For those, a somewhat flexible 
+configuration format has been created
+```
+      IP_PORT_DSCP_OPTION: # Any option that is defined as one of:
+      #  <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ dscp <dscp> ]; ... }
+      #  <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ key <key> ] [ tls <tls> ]; ... }
+      # has a few optional syntaxes 
+      # Example 1: Simple address list
+        - ADDRESS1
+        - ADDRESS2
+      # Example 2: To define source port/dscp, use 'addresses' sub-element
+        [ port: PORT ]
+        [ dscp: DSCP ]
+        addresses:
+          - ADDRESS1
+          - ADDRESS2
+          - 127.0.0.1
+      # Example 3: To define target port/dscp, use 'addresses' as a list of dicts
+        addresses:
+          - address: ADDRESS
+            [ port: PORT ]
+            [ dscp: DSCP ]
+          - address: 127.0.0.1
+            port: 53
+          - address: 127.0.0.1
+            dscp: 42
+          - address: 127.0.0.1
+            port: 5353
+            dscp: 42
+      # Example 4: The various formats can be mixed and matched within the main element
+        - ADDRESS1
+        - address: ADDRESS2
+          port: PORT
+```
+
 
 Dependencies
 ------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+No dependencies
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Simple sample config of a recursive BIND server that allows your localnetwork to resolve addresses via 
 
     - hosts: servers
       roles:
-         - { role: username.rolename, x: 42 }
+         - bind9
+      vars:
+        bind9_host_config:
+          - name: named.conf.local
+            acl:
+              - name: mylan
+                addresses:
+                  - 10.0.0.0/8
+          - name: named.conf.options
+            options:
+              forwarders:
+                - 1.1.1.1
+              allow-query:
+                - mylan
+              allow-recursion:
+                - mylan
 
 License
 -------
@@ -93,452 +198,5 @@ BSD
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
-
-```
-    options:
-      forwarders:
-        - 1.1.1.1
-        - 1.0.0.1
-      fetches_per_server: 200 fail
-      prefetch: 4 10
-      version: none
-      hostname: l33t.h4x0r
-      avoid_v4_udp_ports:
-        - "range 5132 5232"
-        - "range 1337 31337"
-      servfail_ttl: 0
-      allow_notify:
-        - 10.0.0.0/8
-      allow_query:
-        - "!10.0.2.1"
-        - 0/0
-      blackhole:
-        - 192.168.0.0/16
-      allow_recursion: []
-      empty_server: "empty.server.string"
-      dns64_server: "server.name"
-      dns64_contact: "dak.keepit.com"
-      directory: "{{ bind9_cachedir }}"
-      key_directory: "{{ bind9_cachedir }}/keys"
-      statistics_file: "{{ bind9_cachedir }}/named.stats"
-      rrset_order:
-        - type: A
-          name: foo.isc.org
-          order: random
-        - type: AAAA
-          name: foo.isc.org
-          order: cyclic
-        - name: bar.isc.org
-          order: random
-        - name: "*.bar.isc.org"
-          order: random
-        - name: "*.baz.isc.org"
-          order: cyclic
-      response_policy:
-        zones:
-          - zone: smorg.bop
-            max_policy_ttl: 30S
-            min_update_interval: 30S
-            policy: disabled
-            add_soa: true
-            log: true
-            recursive_only: false
-            nsip_enable: true
-            nsdname_enable: true
-        max_policy_ttl: 30S
-        min_update_interval: 30S
-        min_ns_dots: 2
-        add_soa: false
-        break_dnssec: false
-        nsip_wait_recurse: true
-        nsdname_wait_recurse: true
-        qname_wait_recurse: true
-        recursive_only: true
-        nsip_enable: true
-        nsdname_enable: true
-        dnsrps_enable: false
-        dnsrps_options:
-          - simple
-          - item
-          - list
-      response_padding:
-        block_size: 4096
-        addresses:
-          - 0/0
-      rate_limit:
-        all_per_second: 0
-        errors_per_second: 0
-        responses_per_second: 0
-        referrals_per_second: 0
-        nodata_per_second: 0
-        nxdomains_per_second: 0
-        ipv4_prefix_length: 24
-        ipv6_prefix_length: 54
-        max_table_size: 20000
-        min_table_size: 500
-        qps_scale: 250
-        slip: 2
-        window: 15
-        log_only: true
-        exempt_clients:
-          - 192.168.0.1
-          - 10.20.30.40
-      query_source_v6:
-        address: "*"
-        port: "*"
-        dscp: 42
-      parental_source_v6:
-        address: "*"
-        port: "*"
-        dscp: 42
-      notify_source_v6:
-        address: "*"
-      notify_source:
-        address: "*"
-      listen_on:
-        - port: 53
-          addresses:
-            - 0.0.0.0
-        - port: 5353
-          dscp: 42
-          addresses:
-            - 0.0.0.0
-            - 127.0.0.1
-      listen_on_v6:
-        - port: 5353
-          dscp: 42
-          addresses:
-            - "::"
-            - "de:ad::be:ef"
-      dialup: false
-      minimal_responses: true
-      zone_statistics: full
-      ixfr_from_differences: master
-      dual_stack_servers:
-        port: 4492
-        addresses:
-          - address: hostname.com
-            port: 4421
-            dscp: 42
-          - address: 10.128.128.182
-          - address: de:ad::be:ef
-      dnstap:
-        - type: auth
-        - type: client
-          log: response
-        - type: resolver
-          log: query
-      dnstap_output:
-        output_type: file
-        output_file: /tmp/dnstap
-        size: 10M
-        versions: 200
-        suffix: increment
-  - name: named.conf.local
-    acl:
-      localstuff:
-        - 10.0.0.0/8
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-      external:
-        - 185.181.220.77
-        - "!0.0.0.0/0"
-    controls:
-      - type: inet
-        address: 127.0.0.1
-        port: 533
-        allow:
-          - 127.0.0.0/8
-          - "!127.13.37.1"
-        readonly: false
-      - type: inet
-        address: 10.20.30.40
-        allow:
-          - 100.0.0.0/8
-    view:
-      - name: recursive-view
-        match_clients:
-          - localstuff
-        match_destinations:
-          - remote
-        match-recursive-only: true
-        options:
-          transfer_source:
-            address: 0.0.0.0
-            port: '*'
-            dscp: 42
-          allow_recursion:
-            - localstuff
-        zones:
-          - name: google.com
-            type: forward
-            forward: only
-            forwarders:
-              - 1.1.1.1
-              - 1.0.0.1
-    dnssec_policy:
-      - name: mypolicy
-        keylist:
-          - role: ksk
-            key_directory: true
-            lifetime: unlimited
-            algorithm: rsasha256
-            keysize: 2048
-          - role: zsk
-            lifetime: P30D
-            algorithm: 8
-          - role: csk
-            lifetime: P6MT12H3M15S
-            algorithm: ecdsa256
-        max_zone_ttl: P4D
-        parent_ds_ttl: P14D
-        nsec3param:
-          iterations: '0'
-          optout: false
-          salt_length: '0'
-    dyndb:
-      - name: sample
-        driver: example.so
-        parameters:
-          - example.nil. arpa.
-          - example2.nil. arpa.
-    http:
-      - name: dohconf
-        endpoints:
-          - /dns-query
-          - /dns
-          - /query
-        listener_clients: 4
-        streams_per_connection: 1024
-    keylist:
-      - name: certbot.
-        algorithm: hmac-sha512
-        secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA=="
-      - name: certbot2.
-        algorithm: hmac-sha512
-        secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA=="
-    logging:
-      categories:
-        - name: default
-          channels:
-            - default_syslog
-            - default_debug
-            - tv2
-            - dr1
-        - name: unmatched
-          channels:
-            - tv3
-      channels:
-        - name: tv2
-          buffered: true
-          file:
-            name: /var/log/named.log
-            versions: 7
-            size: 20m
-            suffix: increment
-          print_category: false
-          print_severity: false
-          print_time: iso8601-utc
-          severity: info
-        - name: tv3
-          'null': true
-        - name: dr1
-          syslog: daemon
-        - name: kanalkobenhavn
-          stderr: true
-          severity: debug 3
-    parental_agents:
-      - name: parents
-        port: 53353
-        dscp: 42
-        addresses:
-          - address: 10.20.30.40
-            port: 53
-            key: certbot.
-          - address: 20.30.40.50
-            port: 53
-          - address: 30.40.50.60
-            key: certbot2.
-          - address: 40.50.60.70
-      - name: notparents
-        addresses:
-          - address: 10.20.30.40
-          - address: 30.40.50.60
-          - address: 40.50.60.70
-    primaries:
-      - name: parents
-        port: 53353
-        dscp: 42
-        addresses:
-          - address: 10.20.30.40
-            port: 53
-            key: certbot.
-          - address: 20.30.40.50
-            port: 53
-          - address: 30.40.50.60
-            key: certbot2.
-          - address: 40.50.60.70
-      - name: notparents
-        addresses:
-          - address: 10.20.30.40
-          - address: 30.40.50.60
-          - address: 40.50.60.70
-    tls:
-      - name: certbot
-        cert_file: /etc/ssl/private/snakeoil.pem
-        key_file: /etc/ssl/private/snakeoil.key
-        dhparam_file: /etc/ssl/dhparam.pem
-        ca_file: /etc/ssl/certs/ca-certificates.crt
-        remote_hostname: yourhostname
-        ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384
-        protocols:
-          - TLSv1.2
-          - TLSv1.3
-        prefer_server_ciphers: true
-        session_tickets: true
-    trust_anchors:
-      - name: .
-        type: initial-key
-        flags: 257
-        protocol: 3
-        algorithm: 8
-        key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="
-      - name: hugs.dk
-        type: static-ds
-        flags: 64335
-        protocol: 7
-        algorithm: 2
-        key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372"
-    server:
-      - prefix: 1.1.1.1
-        bogus: false
-        edns: true
-        tcp_only: false
-        tcp_keepalive: false
-        edns_version: '0'
-        padding: '0'
-        transfers: '0'
-        keyname: certbot.
-        query_source:
-          address: "*"
-          port: "*"
-    statistics_channels:
-      - address: 0.0.0.0
-        port: 8080
-        allow:
-          - 0/0
-  - name: named.conf.zones
-    backup: false
-    zones:
-      - name: "_acme-challenge.hugs.dk"
-        type: master
-        file: master/_acme-challenge.hugs.dk.zone
-        allow_query:
-          - any
-        dnssec_policy: default
-        inline_signing: true
-        serial_update_method: date
-        update_policy:
-          - permission: grant
-            identity: certbot.
-            ruletype: name
-            name: _acme-challenge.hugs.dk
-            types: txt
-      - name: forward.net
-        type: forward
-        forwarders:
-          port: 53
-          addresses:
-            - address: 1.1.1.1
-              port: 53
-              dscp: 42
-            - address: 4.2.2.4
-              port: 53
-      - name: stub.com
-        type: static-stub
-        allow_query:
-          - any
-        server_addresses:
-          - 1.1.1.1
-          - 8.8.8.8
-        zone_statistics: full
-      - name: example.com
-        type: slave
-        allow_query:
-          - 127.0.0.1
-          - 10.0.0.1
-          - 128.15.14.13
-        allow_query_on:
-          - 127.0.0.1
-        primaries:
-          port: 5522
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 55222
-            - address: 10.20.30.40
-      - name: smorg.bop
-        type: slave
-        primaries:
-          addresses:
-            - address: 127.0.0.1
-        allow_query:
-          - 15.14.13.12
-          - 10.20.30.40
-          - 28.25.23.24
-          - "!10.13.14.15"
-        forwarders:
-          port: 53
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 53
-              dscp: 42
-            - address: 10.20.30.40
-              port: 53
-            - address: 20.30.40.50
-            - address: 30.40.50.60
-              port: 53
-        allow_transfer:
-          port: 5522
-          transport: tls
-          addresses:
-            - 192.168.122.1
-        also_notify:
-          port: 5523
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 5523
-            - address: 127.0.0.2
-        auto-dnssec: allow
-        dnskey_sig_validity: 0
-        dnssec-dnskey-kskonly: true
-        dnssec_loadkeys_interval: 0
-        file: "string"
-        forward: first
-        inline_signing: true
-        ixfr_from_differences: true
-        masterfile_format: raw
-        masterfile_style: full
-        max_ixfr_ratio: unlimited
-        max_journal_size: default
-        max_records: 0
-        max_transfer_idle_out: 0
-        max_transfer_time_out: 0
-        notify: true
-        notify_delay: '0'
-        notify_to_soa: false
-        parental_agents:
-          port: 44332
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 53
-        sig_signing_nodes: '0'
-        sig_signing_signatures: '0'
-        sig_signing_type: 65281
-        zero_no_soa_ttl: true
-        zone_statistics: full
-```
+Daniel Akulenok <daniel@valid.dk>
+Valid.dk

defaults/main.yml

@@ -11,9 +11,10 @@ bind9_backup_dir: /data/backup/bind
 
 bind9_backup_config: true
 bind9_debug_config: false
+bind9_config_indent: 4
 
 bind9_group_config: []
-bind9_leaf_config: []
+bind9_site_config: []
 bind9_host_config: []
 
 bind9_default_config:
@@ -27,4 +28,10 @@ bind9_default_config:
     options:
       directory: "{{ bind9_working_directory }}"
 
-bind9_config: "{{ [bind9_default_config, bind9_group_config, bind9_leaf_config, bind9_host_config] | community.general.lists_mergeby('name', recursive=true, list_merge='append_rp') }}"
+bind9_config: "{{ [bind9_default_config,
+  bind9_group_config,
+  bind9_site_config,
+  bind9_host_config] |
+  community.general.lists_mergeby('name',
+    recursive=true,
+    list_merge='append_rp') }}"

handlers/main.yml

@@ -1,22 +1,24 @@
 ---
 # handlers file for bind9
-- name: reload bind
+- name: Reload bind
   ansible.builtin.service:
     name: named
     state: reloaded
 
-- name: restart bind
+- name: Restart bind
   ansible.builtin.service:
     name: named
     state: restarted
 
-- name: backup bind config
+- name: Backup bind config
   community.general.archive:
     path:
       - "{{ bind9_cfgdir }}"
       - "{{ bind9_working_directory }}"
       - "{{ bind9_libdir }}"
-    dest: "{{ bind9_backup_dir }}/bind9-config-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
+    dest: "{{
+      bind9_backup_dir + '/bind9-config-' +
+      ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
     owner: root
     group: root
     mode: 0640

meta/argument_specs.yml

@@ -0,0 +1,55 @@
+---
+argument_specs:
+  main:
+    short_description: The main entry point for the bind9 role.
+    options:
+      bind9_config:
+        type: list
+        elements: dict
+        description:
+          - A list of configuration dictionaries that are merged to produce the final configuration.
+          - Each element must have a 'name' key (filename).
+      bind9_default_config:
+        type: list
+        elements: dict
+        description: Default configuration.
+      bind9_group_config:
+        type: list
+        elements: dict
+        description: Group-level configuration.
+      bind9_site_config:
+        type: list
+        elements: dict
+        description: Site/Leaf-level configuration.
+      bind9_host_config:
+        type: list
+        elements: dict
+        description: Host-level configuration.
+      bind9_backup_config:
+        type: bool
+        default: true
+        description: Whether to backup configuration files before overwriting.
+      bind9_debug_config:
+        type: bool
+        default: false
+        description: Whether to print the merged configuration during execution.
+      bind9_config_indent:
+        type: int
+        default: 4
+        description: Indentation level for generated configuration files.
+      bind9_packages:
+        type: list
+        elements: str
+        description: List of packages to install.
+      bind9_cfgdir:
+        type: str
+        description: Directory for configuration files.
+      bind9_working_directory:
+        type: str
+        description: Working directory for BIND.
+      bind9_libdir:
+        type: str
+        description: Library directory for BIND.
+      bind9_backup_dir:
+        type: str
+        description: Directory for backups.

meta/main.yml

@@ -1,52 +1,32 @@
+---
 galaxy_info:
+  role_name: bind9
+  namespace: valid
+
   author: Daniel Akulenok
   description: Configure Bind9
   company: Valid.dk
 
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
+  issue_tracker_url: https://gitlab.valid.dk/operations/ansible-bind9-role
 
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
-  license: GPL-2.0-or-later
+  license: GPL-3.0-or-later
 
-  min_ansible_version: 2.1
+  min_ansible_version: "2.13"
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+        - focal
+    - name: Debian
+      versions:
+        - bullseye
 
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
-
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+  galaxy_tags:
+    - bind9
+    - bind
+    - dns
+    - ubuntu
+    - debian
 
 dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.

molecule/default/collections.yml

@@ -0,0 +1,7 @@
+---
+collections:
+  - name: ansible.utils
+  - name: ansible.posix
+  - name: community.crypto
+  - name: community.general
+

molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Include bind9 role
+      ansible.builtin.include_role:
+        name: ../../../ansible-bind9-role

molecule/default/molecule.yml

@@ -0,0 +1,25 @@
+---
+driver:
+  name: podman
+platforms:
+  - name: debian-bookworm
+    image: docker.io/jrei/systemd-debian:12
+    command: /lib/systemd/systemd
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+  - name: debian-trixie
+    image: docker.io/jrei/systemd-debian:13
+    command: /lib/systemd/systemd
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      ALLOW_BROKEN_CONDITIONALS: true
+verifier:
+  name: ansible

molecule/default/prepare.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  tasks:
+    - name: Update apt
+      ansible.builtin.apt:
+        update_cache: true

tasks/main.yml

@@ -4,6 +4,7 @@
   ansible.builtin.apt:
     name: "{{ bind9_packages }}"
     state: present
+    cache_valid_time: 3600
   tags:
     - bind9
     - packages
@@ -15,25 +16,75 @@
     owner: root
     group: root
     mode: 0750
-  when: bind9_backup_config is defined and bind9_backup_config
+  when: bind9_backup_config is defined and bind9_backup_config | bool
+
+- name: Deploy and Validate Configuration
+  block:
+    - name: Create backup of current config
+      ansible.builtin.copy:
+        src: "{{ bind9_cfgdir }}/{{ item.name }}"
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        remote_src: true
+        owner: root
+        group: bind
+        mode: 0640
+      failed_when: false # It's okay if the file doesn't exist yet
+      # We do this for every file in the loop
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+
+    - name: Template named.conf.generator
+      ansible.builtin.template:
+        src: named.conf.generator.j2
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
+        owner: root
+        group: bind
+        mode: 0640
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      register: _template_result
+
+    - name: Validate configuration using named-checkconf
+      ansible.builtin.command:
+        cmd: "named-checkconf -z {{ bind9_cfgdir }}/named.conf"
+      changed_when: false
+
+  rescue:
+    - name: Restore configuration from backup
+      ansible.builtin.copy:
+        src: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
+        remote_src: true
+        owner: root
+        group: bind
+        mode: 0640
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      failed_when: false # Best effort restore
+
+    - name: Fail due to invalid configuration
+      ansible.builtin.fail:
+        msg: "Configuration validation failed. Changes have been reverted. Check the logs for named-checkconf errors."
+
+  always:
+    - name: Remove backup files
+      ansible.builtin.file:
+        path: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        state: absent
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: bind9_backup_config | bool is false # Keep if backup is forced, otherwise cleanup temporary atomic backup
   
-- name: named.conf.generator
-  ansible.builtin.template:
-    src: named.conf.generator.j2
-    dest: "{{ bind9_cfgdir }}/{{ item.name }}"
-    owner: root
-    group: bind
-    backup: "{{ item.backup | default('false') | bool }}"
-  # validate: 'named-checkconf -z -j %s'
-  loop: "{{ bind9_config }}"
-  loop_control:
-    label: "{{ item.name }}"
   tags:
     - bind9
     - template
   notify:
-    - backup bind config
-    - restart bind
+    - Backup bind config
+    - Restart bind
 
 - name: Ensure the named service is started
   ansible.builtin.service:

templates/named.conf.acl.j2

@@ -1,7 +1,7 @@
 {# ACL Macro. Very easy statement. It's just a list of address match elements. #}
-{% macro acl(acls) %}
-{% for acl in acls %}
+{% for acl in item.acl %}
+
 acl {{ acl.name }} {
 {{ functions.simple_item_list(acl.addresses) -}}
 };
-{% endfor %}{% endmacro %}
+{% endfor %}

templates/named.conf.controls.j2

@@ -1,7 +1,7 @@
-{% macro controls(controls) %}
+
 controls {
-{% filter indent(2, true) %}
-{% for control in controls %}
+{% filter indent(bind9_config_indent, true) %}
+{% for control in item.controls %}
 {% if control.type == "inet" %}
 {{ ('inet ' + control.address) -}}
 {{ (' port ' + control.port | string) if control.port is defined and control.port -}}
@@ -16,4 +16,3 @@ controls {
 {{ (' read-only ' + control.read_only | string) if control.read_only is defined -}};
 {% endfor %}};
 {% endfilter %}
-{% endmacro %}

templates/named.conf.dlz.j2

@@ -1,10 +1,9 @@
-{% macro dlz(dlzs) %}
-{% for dlz in dlzs if dlzs is iterable %}
+{% for dlz in item.dlz if item.dlz is iterable %}
+
 dlz "{{ dlz.name }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('database "' + simple_item_list(dlz.database) + '";') }}
 {{ functions.boolean_option('search', dlz.search) }}
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dnssec-policy.j2

@@ -1,10 +1,10 @@
-{% macro dnssec_policy(policies) %}
-{% for policy in policies if policies is iterable %}
+{% for policy in item.dnssec_policy if item.dnssec_policy is iterable %}
+
 dnssec-policy "{{ policy.name }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if policy.keys is defined and policy.keys %}
 keys {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% for dnskey in policy.keylist if policy.keylist is iterable %}
 {{ dnskey.role -}}
 {{ (' key-directory') if dnskey.key_directory is defined and dnskey.key_directory -}}
@@ -36,4 +36,3 @@ nsec3param
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dyndb.j2

@@ -1,8 +1,7 @@
-{% macro dyndb(dyndbs) %}
-{% for dyndb in dyndbs if dyndbs is iterable %}
+{% for dyndb in item.dyndb if item.dyndb is iterable %}
+
 dyndb {{ dyndb.name }} "{{ dyndb.driver }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ functions.simple_item_list(dyndb.parameters) -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.functions.j2

@@ -1,20 +1,27 @@
-{% macro simple_item_list(item_list, indent=2) %}
+{% macro simple_item_list(item_list, indent=bind9_config_indent) %}
 {# This macro is for use in simple address lists #}
 {% filter indent(indent, true) %}
 {{ item_list | join(';\n') }};
 {% endfilter %}
 {% endmacro %}
 
-{% macro list_address_port_key_tls(dict, indent=2) %}
+{% macro list_address_port_key_tls(dict, indent=bind9_config_indent) %}
 {% filter indent(indent, true) %}
 {% for item in dict %}
 {% if item is not mapping %}
 {{ item -}};
-{% else %}
+{% elif item.address is string %}
 {{ item.address -}}
 {{- (' port ' + item.port | string) if item.port is defined -}}
 {{- (' key ' + item.key | string) if item.key is defined -}}
 {{- (' tls ' + item.tls | string) if item.tls is defined -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined -}}
+{{- (' key ' + item.key | string) if item.key is defined -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined -}};
+{% endfor %}
 {% endif %}
 {% endfor %}
 {% endfilter %}
@@ -35,7 +42,7 @@
 {% endif %}
 {% endmacro %}
 
-{% macro list_address_port_dscp(dict, indent=2) %}
+{% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
 {# This macro is for use for statements with grammar like #}
 {#  address port 00 dscp 00; address port 00 dscp 00; #}
 {# it is usually called by a parent macro #}

templates/named.conf.generator.j2

@@ -1,79 +1,59 @@
-{% import 'named.conf.functions.j2' as functions %}
+{% import 'named.conf.functions.j2' as functions with context %}
 {{ ansible_managed | comment }}
 {% if item.options is defined and item.options %}
-{% from 'named.conf.options.j2' import options with context %}
-options {
-{% filter indent(2,true)%}
-{{ options(item.options) -}}
-{% endfilter %}
-};
-
+{% include 'named.conf.options.j2' %}
 {% endif %}
 {% if item.acl is defined and item.acl %}
-{% from 'named.conf.acl.j2' import acl with context %}
-{{ acl(item.acl) }}
-{% endif %}
-{% if item.zones is defined and item.zones %}
-{% from 'named.conf.zone.j2' import zones with context %}
-{{ zones(item.zones) }}
-{% endif %}
-{% if item.controls is defined and item.controls %}
-{% from 'named.conf.controls.j2' import controls with context %}
-{{ controls(item.controls) }}
-{% endif %}
-{% if item.include is defined and item.include %}
-{% from 'named.conf.include.j2' import include with context %}
-{{ include(item.include) }}
-{% endif %}
-{% if item.dlz is defined and item.dlz %}
-{% from 'named.conf.dlz.j2' import dlz with context %}
-{{ dlz(item.dlz) }}
-{% endif %}
-{% if item.dnssec_policy is defined and item.dnssec_policy %}
-{% from 'named.conf.dnssec-policy.j2' import dnssec_policy with context %}
-{{ dnssec_policy(item.dnssec_policy) }}
-{% endif %}
-{% if item.dyndb is defined and item.dyndb %}
-{% from 'named.conf.dyndb.j2' import dyndb with context %}
-{{ dyndb(item.dyndb) }}
-{% endif %}
-{% if item.http is defined and item.http %}
-{% from 'named.conf.http.j2' import http with context %}
-{{ http(item.http) }}
-{% endif %}
-{% if item.keylist is defined and item.keylist %}
-{% from 'named.conf.key.j2' import keylist with context %}
-{{ keylist(item.keylist) }}
-{% endif %}
-{% if item.logging is defined and item.logging %}
-{% from 'named.conf.logging.j2' import logging with context %}
-{{ logging(item.logging) }}
-{% endif %}
-{% if item.parental_agents is defined and item.parental_agents %}
-{% from 'named.conf.parental-agents.j2' import parental_agents with context %}
-{{ parental_agents(item.parental_agents) }}
+{% include 'named.conf.acl.j2' %}
 {% endif %}
 {% if item.primaries is defined and item.primaries %}
-{% from 'named.conf.primaries.j2' import primaries with context %}
-{{ primaries(item.primaries) }}
+{% include 'named.conf.primaries.j2' %}
+{% endif %}
+{% if item.controls is defined and item.controls %}
+{% include 'named.conf.controls.j2' %}
+{% endif %}
+{% if item.include is defined and item.include %}
+{% include 'named.conf.include.j2' %}
+{% endif %}
+{% if item.dlz is defined and item.dlz %}
+{% include 'named.conf.dlz.j2' %}
+{% endif %}
+{% if item.dnssec_policy is defined and item.dnssec_policy %}
+{% include 'named.conf.dnssec-policy.j2' %}
+{% endif %}
+{% if item.dyndb is defined and item.dyndb %}
+{% include 'named.conf.dyndb.j2' %}
+{% endif %}
+{% if item.http is defined and item.http %}
+{% include 'named.conf.http.j2' %}
+{% endif %}
+{% if item.keylist is defined and item.keylist %}
+{% include 'named.conf.key.j2' %}
+{% endif %}
+{% if item.logging is defined and item.logging %}
+{% include 'named.conf.logging.j2' %}
+{% endif %}
+{% if item.parental_agents is defined and item.parental_agents %}
+{% include 'named.conf.parental-agents.j2' %}
 {% endif %}
 {% if item.server is defined and item.server %}
-{% from 'named.conf.server.j2' import server with context %}
-{{ server(item.server) }}
+{% include  'named.conf.server.j2' %}
 {% endif %}
 {% if item.statistics_channels is defined and item.statistics_channels %}
-{% from 'named.conf.statistics-channels.j2' import statistics_channels with context %}
-{{ statistics_channels(item.statistics_channels) }}
+{% include 'named.conf.statistics-channels.j2' %}
 {% endif %}
 {% if item.tls is defined and item.tls %}
-{% from 'named.conf.tls.j2' import tls with context %}
-{{ tls(item.tls) }}
+{% include 'named.conf.tls.j2' %}
 {% endif %}
 {% if item.trust_anchors is defined and item.trust_anchors %}
-{% from 'named.conf.trust-anchors.j2' import trust_anchors with context %}
-{{ trust_anchors(item.trust_anchors) }}
+{% include 'named.conf.trust-anchors.j2' %}
+{% endif %}
+{% if item.zones is defined and item.zones %}
+{% include 'named.conf.zone.j2' %}
 {% endif %}
 {% if item.view is defined and item.view %}
-{% from 'named.conf.view.j2' import view with context %}
-{{ view(item.view) }}
+{% include 'named.conf.view.j2' %}
+{% endif %}
+{% if item.remote_servers is defined and item.remote_servers %}
+{% include 'named.conf.remote-servers.j2' %}
 {% endif %}

templates/named.conf.http.j2

@@ -1,10 +1,10 @@
-{% macro http(seq) %}
-{% for http in seq if seq is iterable %}
+{% for http in item.http if item.http is iterable %}
+
 http {{ http.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if http.endpoints is defined and http.endpoints %}
 endpoints {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% for endpoint in http.endpoints %}
 {{ '"' + endpoint + '";' }} 
 {% endfor %}
@@ -14,4 +14,3 @@ endpoints {
 {{ ('streams-per-connection ' + http.streams_per_connection | string + ';\n') if http.streams_per_connection is defined and http.streams_per_connection -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.include.j2

@@ -1,5 +1,4 @@
-{% macro include(files) %}
-{% for file in files %}
+
+{% for file in item.include %}
 include "{{ file }}";
 {% endfor %}
-{% endmacro %}

templates/named.conf.key.j2

@@ -1,9 +1,8 @@
-{% macro keylist(keylists) %}
-{% for keyname in keylists if keylists is iterable %}
+{% for keyname in item.keylist if item.keylist is iterable %}
+
 key {{ keyname.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('algorithm ' + keyname.algorithm + ';\n') if keyname.algorithm is defined and keyname.algorithm -}}
 {{ ('secret "' + keyname.secret + '";\n') if keyname.secret is defined and keyname.secret -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.logging.j2

@@ -1,13 +1,13 @@
-{% macro logging(logging) %}
+
 logging {
-{% filter indent(2, true) %}
-{% for category in logging.categories if logging.categories is defined and logging.categories %}
+{% filter indent(bind9_config_indent, true) %}
+{% for category in item.logging.categories if item.logging.categories is defined and item.logging.categories %}
 category {{ category.name }} {
 {{ functions.simple_item_list(category.channels) }}};
 {% endfor %}
-{% for channel in logging.channels if logging.channels is defined and logging.channels %}
+{% for channel in item.logging.channels if item.logging.channels is defined and item.logging.channels %}
 channel {{ channel.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if channel.file is defined and channel.file %}
 file "{{ channel.file.name }}"
 {{- (' versions ' + channel.file.versions | string) if channel.file.versions is defined and channel.file.versions -}}
@@ -26,4 +26,3 @@ file "{{ channel.file.name }}"
 };
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.options.j2

@@ -1,20 +1,28 @@
-{% macro options(option) %}
-{# Unicorn Options#}
-{% if option.rrset_order is defined and option.rrset_order %}
+{% import 'named.conf.functions.j2' as functions with context %}
+
+options {
+{% filter indent(bind9_config_indent,true)%}
+{# Iterate over keys to preserve user order (Python 3.7+ / Ansible dicts are ordered) #}
+{% for key, value in item.options.items() %}
+{% set conf_key = key | replace('_', '-') %}
+
+{# --- COMPLEX BLOCKS --- #}
+
+{% if key == 'rrset_order' %}
 rrset-order {
-{% filter indent(4, true) %}
-{% for rrset in option.rrset_order %}
+{% filter indent(bind9_config_indent, true) %}
+{% for rrset in value %}
 {{ ('class ' + rrset.class | string + ' ') if rrset.class is defined and rrset.class -}}
 {{ ('type ' + rrset.type | string + ' ') if rrset.type is defined and rrset.type -}}
 {{ ('name "' + rrset.name | string + '" ') if rrset.name is defined and rrset.name -}}
 {{ ('order ' + rrset.order | string) -}};
 {% endfor %}
 {% endfilter %}};
-{% endif %}
-{% if option.response_policy is defined and option.response_policy %}
+
+{% elif key == 'response_policy' %}
 response-policy {
-{% filter indent(2, true) %}
-{% for zone in option.response_policy.zones %}
+{% filter indent(bind9_config_indent, true) %}
+{% for zone in value.zones %}
 {{- ('zone ' + zone.zone | string) -}}
 {{- (' max-policy-ttl ' + zone.max_policy_ttl | string) if zone.max_policy_ttl is defined and zone.max_policy_ttl -}}
 {{- (' min-update-interval ' + zone.min_update_interval | string) if zone.min_update_interval is defined and zone.min_update_interval -}}
@@ -26,145 +34,123 @@ response-policy {
 {{- (' nsdname-enable ' + functions.named_boolean(zone.nsdname_enable)) if zone.nsdname_enable is defined }};
 {% endfor %}
 {% endfilter %}}
-{{- (' max-policy-ttl ' + option.response_policy.max_policy_ttl | string) if option.response_policy.max_policy_ttl is defined and option.response_policy.max_policy_ttl -}}
-{{- (' min-update-interval ' + option.response_policy.min_update_interval | string) if option.response_policy.min_update_interval is defined and option.response_policy.min_update_interval -}}
-{{- (' min-ns-dots ' + option.response_policy.min_ns_dots | string) if option.response_policy.min_ns_dots is defined and option.response_policy.min_ns_dots -}}
-{{- (' add-soa ' + functions.named_boolean(option.response_policy.add_soa)) if option.response_policy.add_soa is defined -}}
-{{- (' break-dnssec ' + functions.named_boolean(option.response_policy.break_dnssec)) if option.response_policy.break_dnssec is defined -}}
-{{- (' nsip-wait-recurse ' + functions.named_boolean(option.response_policy.nsip_wait_recurse)) if option.response_policy.nsip_wait_recurse is defined -}}
-{{- (' nsdname-wait-recurse ' + functions.named_boolean(option.response_policy.nsdname_wait_recurse)) if option.response_policy.nsdname_wait_recurse is defined -}}
-{{- (' qname-wait-recurse ' + functions.named_boolean(option.response_policy.qname_wait_recurse)) if option.response_policy.qname_wait_recurse is defined -}}
-{{- (' recursive-only ' + functions.named_boolean(option.response_policy.recursive_only)) if option.response_policy.recursive_only is defined -}}
-{{- (' nsip-enable ' + functions.named_boolean(option.response_policy.nsip_enable)) if option.response_policy.nsip_enable is defined -}}
-{{- (' nsdname-enable ' + functions.named_boolean(option.response_policy.nsdname_enable)) if option.response_policy.nsdname_enable is defined -}}
-{{- (' dnsrps-enable ' + functions.named_boolean(option.response_policy.dnsrps_enable)) if option.response_policy.dnsrps_enable is defined -}}
-{{- (' dnsrps-options {\n' + functions.simple_item_list(option.response_policy.dnsrps_options) + '}') if option.response_policy.dnsrps_options is defined and option.response_policy.dnsrps_options -}};
-{% endif %}
-{% if option.response_padding is defined and option.response_padding %}
+{{- (' max-policy-ttl ' + value.max_policy_ttl | string) if value.max_policy_ttl is defined and value.max_policy_ttl -}}
+{{- (' min-update-interval ' + value.min_update_interval | string) if value.min_update_interval is defined and value.min_update_interval -}}
+{{- (' min-ns-dots ' + value.min_ns_dots | string) if value.min_ns_dots is defined and value.min_ns_dots -}}
+{{- (' add-soa ' + functions.named_boolean(value.add_soa)) if value.add_soa is defined -}}
+{{- (' break-dnssec ' + functions.named_boolean(value.break_dnssec)) if value.break_dnssec is defined -}}
+{{- (' nsip-wait-recurse ' + functions.named_boolean(value.nsip_wait_recurse)) if value.nsip_wait_recurse is defined -}}
+{{- (' nsdname-wait-recurse ' + functions.named_boolean(value.nsdname_wait_recurse)) if value.nsdname_wait_recurse is defined -}}
+{{- (' qname-wait-recurse ' + functions.named_boolean(value.qname_wait_recurse)) if value.qname_wait_recurse is defined -}}
+{{- (' recursive-only ' + functions.named_boolean(value.recursive_only)) if value.recursive_only is defined -}}
+{{- (' nsip-enable ' + functions.named_boolean(value.nsip_enable)) if value.nsip_enable is defined -}}
+{{- (' nsdname-enable ' + functions.named_boolean(value.nsdname_enable)) if value.nsdname_enable is defined -}}
+{{- (' dnsrps-enable ' + functions.named_boolean(value.dnsrps_enable)) if value.dnsrps_enable is defined -}}
+{{- (' dnsrps-options { ' + value.dnsrps_options | join('; ') + '; }') if value.dnsrps_options is defined and value.dnsrps_options -}};
+
+{% elif key == 'response_padding' %}
 response-padding {
-{{ functions.simple_item_list(option.response_padding.addresses) }}}
-{{- (' block-size ' + option.response_padding.block_size | string) }}; 
-{% endif %}
-{% if option.rate_limit is defined and option.rate_limit %}
+{{ functions.simple_item_list(value.addresses) }}}
+{{- (' block-size ' + value.block_size | string) }};
+
+{% elif key == 'rate_limit' %}
 rate-limit {
-{% filter indent(2, true) %}
-{{ ('all-per-second ' + option.rate_limit.all_per_second | string + ';\n') if option.rate_limit.all_per_second is defined and option.rate_limit.all_per_second -}}
-{{ ('errors-per-second ' + option.rate_limit.errors_per_second | string + ';\n') if option.rate_limit.errors_per_second is defined and option.rate_limit.errors_per_second -}}
-{{ ('responses-per-second ' + option.rate_limit.responses_per_second | string + ';\n') if option.rate_limit.responses_per_second is defined and option.rate_limit.responses_per_second -}}
-{{ ('referrals-per-second ' + option.rate_limit.referrals_per_second | string + ';\n') if option.rate_limit.referrals_per_second is defined and option.rate_limit.referrals_per_second -}}
-{{ ('nodata-per-second ' + option.rate_limit.nodata_per_second | string + ';\n') if option.rate_limit.nodata_per_second is defined and option.rate_limit.nodata_per_second -}}
-{{ ('nxdomains-per-second ' + option.rate_limit.nxdomains_per_second | string + ';\n') if option.rate_limit.nxdomains_per_second is defined and option.rate_limit.nxdomains_per_second -}}
-{{ ('ipv4-prefix-length ' + option.rate_limit.ipv4_prefix_length | string + ';\n') if option.rate_limit.ipv4_prefix_length is defined and option.rate_limit.ipv4_prefix_length -}}
-{{ ('ipv6-prefix-length ' + option.rate_limit.ipv6_prefix_length | string + ';\n') if option.rate_limit.ipv6_prefix_length is defined and option.rate_limit.ipv6_prefix_length -}}
-{{ ('max-table-size ' + option.rate_limit.max_table_size | string + ';\n') if option.rate_limit.max_table_size is defined and option.rate_limit.max_table_size -}}
-{{ ('min-table-size ' + option.rate_limit.min_table_size | string + ';\n') if option.rate_limit.min_table_size is defined and option.rate_limit.min_table_size -}}
-{{ ('qps-scale ' + option.rate_limit.qps_scale | string + ';\n') if option.rate_limit.qps_scale is defined and option.rate_limit.qps_scale -}}
-{{ ('window ' + option.rate_limit.window | string + ';\n') if option.rate_limit.window is defined and option.rate_limit.window -}}
-{{ ('slip ' + option.rate_limit.slip | string + ';\n') if option.rate_limit.slip is defined and option.rate_limit.slip -}}
-{{ ('log-only ' + functions.named_boolean(option.rate_limit.log_only) + ';\n') if option.rate_limit.log_only is defined -}}
-{{ ('exempt-clients {\n' + functions.simple_item_list(option.rate_limit.exempt_clients) + '};\n') if option.rate_limit.exempt_clients is defined and option.rate_limit.exempt_clients -}}
+{% filter indent(bind9_config_indent, true) %}
+{{ ('all-per-second ' + value.all_per_second | string + ';\n') if value.all_per_second is defined and value.all_per_second -}}
+{{ ('errors-per-second ' + value.errors_per_second | string + ';\n') if value.errors_per_second is defined and value.errors_per_second -}}
+{{ ('responses-per-second ' + value.responses_per_second | string + ';\n') if value.responses_per_second is defined and value.responses_per_second -}}
+{{ ('referrals-per-second ' + value.referrals_per_second | string + ';\n') if value.referrals_per_second is defined and value.referrals_per_second -}}
+{{ ('nodata-per-second ' + value.nodata_per_second | string + ';\n') if value.nodata_per_second is defined and value.nodata_per_second -}}
+{{ ('nxdomains-per-second ' + value.nxdomains_per_second | string + ';\n') if value.nxdomains_per_second is defined and value.nxdomains_per_second -}}
+{{ ('ipv4-prefix-length ' + value.ipv4_prefix_length | string + ';\n') if value.ipv4_prefix_length is defined and value.ipv4_prefix_length -}}
+{{ ('ipv6-prefix-length ' + value.ipv6_prefix_length | string + ';\n') if value.ipv6_prefix_length is defined and value.ipv6_prefix_length -}}
+{{ ('max-table-size ' + value.max_table_size | string + ';\n') if value.max_table_size is defined and value.max_table_size -}}
+{{ ('min-table-size ' + value.min_table_size | string + ';\n') if value.min_table_size is defined and value.min_table_size -}}
+{{ ('qps-scale ' + value.qps_scale | string + ';\n') if value.qps_scale is defined and value.qps_scale -}}
+{{ ('window ' + value.window | string + ';\n') if value.window is defined and value.window -}}
+{{ ('slip ' + value.slip | string + ';\n') if value.slip is defined and value.slip -}}
+{{ ('log-only ' + functions.named_boolean(value.log_only) + ';\n') if value.log_only is defined -}}
+{{ ('exempt-clients {\n' + functions.simple_item_list(value.exempt_clients) + '};\n') if value.exempt_clients is defined and value.exempt_clients -}}
 {% endfilter %}};
-{% endif %}
-{% if option.listen_on_v6 is defined and option.listen_on_v6 %}
-{% for listen in option.listen_on_v6 if option.listen_on_v6 is not mapping %}
-listen-on-v6
+
+{% elif key == 'listen_on_v6' or key == 'listen_on' %}
+{% for listen in (value if value is not mapping else [value]) %}
+{{ conf_key }}
 {{- (' port ' + listen.port | string) if listen.port is defined and listen.port -}}
 {{- (' dscp ' + listen.dscp | string) if listen.dscp is defined and listen.dscp -}}
 {{- (' tls ' + listen.tls | string) if listen.tls is defined and listen.tls -}}
 {{- (' http ' + listen.http | string) if listen.http is defined and listen.http }} {
 {{ functions.simple_item_list(listen.addresses) }}};
-{% else %}
-listen-on-v6
-{{- (' port ' + option.listen_on_v6.port | string) if option.listen_on_v6.port is defined and option.listen_on_v6.port -}}
-{{- (' dscp ' + option.listen_on_v6.dscp | string) if option.listen_on_v6.dscp is defined and option.listen_on_v6.dscp -}}
-{{- (' tls ' + option.listen_on_v6.tls | string) if option.listen_on_v6.tls is defined and option.listen_on_v6.tls -}}
-{{- (' http ' + option.listen_on_v6.http | string) if option.listen_on_v6.http is defined and option.listen_on_v6.http }} {
-{{ functions.simple_item_list(option.listen_on_v6.addresses) }}};
 {% endfor %}
-{% endif %}
-{% if option.listen_on is defined and option.listen_on %}
-{% for listen in option.listen_on if option.listen_on is not mapping %}
-listen-on
-{{- (' port ' + listen.port | string) if listen.port is defined and listen.port -}}
-{{- (' dscp ' + listen.dscp | string) if listen.dscp is defined and listen.dscp -}}
-{{- (' tls ' + listen.tls | string) if listen.tls is defined and listen.tls -}}
-{{- (' http ' + listen.http | string) if listen.http is defined and listen.http }} {
-{{ functions.simple_item_list(listen.addresses) }}};
-{% else %}
-listen-on
-{{- (' port ' + option.listen_on.port | string) if option.listen_on.port is defined and option.listen_on.port -}}
-{{- (' dscp ' + option.listen_on.dscp | string) if option.listen_on.dscp is defined and option.listen_on.dscp -}}
-{{- (' tls ' + option.listen_on.tls | string) if option.listen_on.tls is defined and option.listen_on.tls -}}
-{{- (' http ' + option.listen_on.http | string) if option.listen_on.http is defined and option.listen_on.http }} {
-{{ functions.simple_item_list(option.listen_on.addresses) }}};
-{% endfor %}
-{% endif %}
-{{ functions.parent_address_port_dscp("forwarders", option.forwarders) if option.forwarders is defined and option.forwarders -}}
-{% if option.dual_stack_servers is defined and option.dual_stack_servers %}
+
+{% elif key == 'forwarders' %}
+{{ functions.parent_address_port_dscp("forwarders", value) -}}
+
+{% elif key == 'dual_stack_servers' %}
 dual-stack-servers
-{{ (' port ' + option.dual_stack_servers.port | string) if option.dual_stack_servers.port is defined and option.dual_stack_servers }} {
-{% for host in option.dual_stack_servers.addresses %}
-{% filter indent(2, true) %}
+{{ (' port ' + value.port | string) if value.port is defined and value }} {
+{% for host in value.addresses %}
+{% filter indent(bind9_config_indent, true) %}
 {{ host.address | ansible.utils.ipaddr | ternary(host.address, '"' + host.address + '"') }}
 {{- (' port ' + host.port | string) if host.port is defined and host.port -}}
 {{- (' dscp ' + host.dscp | string) if host.dscp is defined and host.dscp -}};
 {% endfilter %}
 {% endfor %}};
-{% endif %}
-{% if option.dnstap_output is defined and option.dnstap_output %}
-dnstap-output {{ option.dnstap_output.output_type -}}
-{{- ' "' + option.dnstap_output.output_file + '"' -}}
-{{- (' size ' + option.dnstap_output.size | string) if option.dnstap_output.size is defined and option.dnstap_output.size -}}
-{{- (' versions ' + option.dnstap_output.versions | string) if option.dnstap_output.versions is defined and option.dnstap_output.versions -}}
-{{- (' suffix ' + option.dnstap_output.suffix | string) if option.dnstap_output.suffix is defined and option.dnstap_output.suffix -}};
-{% endif %}
-{% if option.dnstap is defined and option.dnstap %}
+
+{% elif key == 'dnstap_output' %}
+dnstap-output {{ value.output_type -}}
+{{- ' "' + value.output_file + '"' -}}
+{{- (' size ' + value.size | string) if value.size is defined and value.size -}}
+{{- (' versions ' + value.versions | string) if value.versions is defined and value.versions -}}
+{{- (' suffix ' + value.suffix | string) if value.suffix is defined and value.suffix -}};
+
+{% elif key == 'dnstap' %}
 dnstap {
-{% filter indent(2, true) %}
-{% for dnstap in option.dnstap %}
+{% filter indent(bind9_config_indent, true) %}
+{% for dnstap in value %}
 {{ dnstap.type }}{{ ' ' + dnstap.log if dnstap.log is defined and dnstap.log }};
 {% endfor %}
 {% endfilter %}};
-{% endif %}
-{% if option.dns64 is defined and option.dns64 %}
-{% for dns64 in option.dns64 if option.dns64 is sequence %}
+
+{% elif key == 'dns64' %}
+{% for dns64 in (value if value is sequence else [value]) %}
 dns64 {{ dns64.netprefix }} {
-{% filter indent(2, true) %}
-{{ ('break-dnssec ' + dns64.break_dnssec | functions.named_boolean + ';\n') if dns64.break_dnssec is defined and dns64.break_dnssec is boolean -}}
-{{ ('recursive-only ' + dns64.recursive_only | functions.named_boolean + ';\n') if dns64.recursive_only is defined and dns64.recursive_only is boolean -}}
+{% filter indent(bind9_config_indent, true) %}
+{{ ('break-dnssec ' + functions.named_boolean(dns64.break_dnssec) + ';\n') if dns64.break_dnssec is defined and dns64.break_dnssec is boolean -}}
+{{ ('recursive-only ' + functions.named_boolean(dns64.recursive_only) + ';\n') if dns64.recursive_only is defined and dns64.recursive_only is boolean -}}
 {{ ('suffix ' + dns64.suffix + ';\n') if dns64.suffix is defined and dns64.suffix -}}
 {{ ("clients {\n" + functions.simple_item_list(dns64.clients) + "};\n") if dns64.clients is defined and dns64.clients -}}
 {{ ("exclude {\n" + functions.simple_item_list(dns64.exclude) + "};\n") if dns64.exclude is defined and dns64.exclude -}}
 {{ ("mapped {\n" + functions.simple_item_list(dns64.mapped) + "};\n") if dns64.mapped is defined and dns64.mapped -}}
 {% endfilter %}};
 {% endfor %}
-{% endif %}
-{% if option.deny_answer_aliases is defined and option.deny_answer_aliases %}
+
+{% elif key == 'deny_answer_aliases' %}
 deny-answer-aliases {
-{{ functions.simple_item_list(option.deny_answer_aliases.names) }}}
-{%- if option.deny_answer_aliases.except_from is defined and option.deny_answer_aliases.except_from %}
+{{ functions.simple_item_list(value.names) }}}
+{%- if value.except_from is defined and value.except_from %}
  except-from {
-{{ functions.simple_item_list(option.deny_answer_aliases.except_from, 4) }}}
+{{ functions.simple_item_list(value.except_from, 4) }}}
 {%- endif %};
-{% endif %}
-{% if option.deny_answer_addresses is defined and option.deny_answer_addresses %}
+
+{% elif key == 'deny_answer_addresses' %}
 deny-answer-addresses {
-{{ functions.simple_item_list(option.deny_answer_addresses.addresses) }}}
-{%- if option.deny_answer_addresses.except_from is defined and option.deny_answer_addresses.except_from %}
+{{ functions.simple_item_list(value.addresses) }}}
+{%- if value.except_from is defined and value.except_from %}
  except-from {
-{{ functions.simple_item_list(option.deny_answer_addresses.except_from, 4) }}}
+{{ functions.simple_item_list(value.except_from, 4) }}}
 {%- endif %};
-{% endif %}
-{% if option.check_names is defined and option.check_names %}
-{% for policy in option.check_names %}
+
+{% elif key == 'check_names' %}
+{% for policy in value %}
 check-names {{ policy.type }} {{ policy.action }};
 {% endfor %}
-{% endif %}
-{% if option.catalog_zones is defined and option.catalog_zones %}
+
+{% elif key == 'catalog_zones' %}
 catalog-zones {
-{% for catalog_zone in option.catalog_zones %}
+{% for catalog_zone in value %}
 zone {{ catalog_zone.zone }}
-{% filter indent(6, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if catalog_zone.default_primaries is defined and catalog_zone.default_primaries %}
 default-primaries
 {{- (' port ' + catalog_zone.default_primaries.port | string) if catalog_zone.default_primaries.port is defined and catalog_zone.default_primaries.port -}}
@@ -172,293 +158,84 @@ default-primaries
 {{ functions.list_address_port_key_tls(catalog_zone.default_primaries.primaries) }}}
 {% endif %}
 {{ ('zone-directory "' + catalog_zone.zone_directory + '"') if catalog_zone.zone_directory is defined and catalog_zone.zone_directory }}
-{{ ('in-memory ' + (catalog_zone.in_memory | functions.named_boolean ) | string) if catalog_zone.in_memory is defined and catalog_zone.in_memory is boolean }}
+{{ ('in-memory ' + (functions.named_boolean(catalog_zone.in_memory)) | string) if catalog_zone.in_memory is defined and catalog_zone.in_memory is boolean }}
 {{ ('min-update-interval ' + catalog_zone.min_update_interval | string) if catalog_zone.min_update_interval is defined and catalog_zone.min_update_interval}};
 {% endfilter %}
 {% endfor %}};
-{% endif %}
-{{ functions.single_ip_port_dscp('transfer-source', option.transfer_source) if option.transfer_source is defined and option.transfer_source -}}
-{{ functions.single_ip_port_dscp('transfer-source-v6', option.transfer_source_v6) if option.transfer_source_v6 is defined and option.transfer_source_v6 -}}
-{{ functions.single_ip_port_dscp('alt-transfer-source', option.alt_transfer_source) if option.alt_transfer_source is defined and option.alt_transfer_source -}}
-{{ functions.single_ip_port_dscp('alt-transfer-source-v6', option.alt_transfer_source_v6) if option.alt_transfer_source_v6 is defined and option.alt_transfer_source_v6 -}}
-{{ functions.single_ip_port_dscp('query-source', option.query_source) if option.query_source is defined and option.query_source -}}
-{{ functions.single_ip_port_dscp('query-source-v6', option.query_source_v6) if option.query_source_v6 is defined and option.query_source_v6 -}}
-{{ functions.single_ip_port_dscp('parental-source', option.parental_source) if option.parental_source is defined and option.parental_source -}}
-{{ functions.single_ip_port_dscp('parental-source-v6', option.parental_source_v6) if option.parental_source_v6 is defined and option.parental_source_v6 -}}
-{{ functions.single_ip_port_dscp('notify-source', option.notify_source) if option.notify_source is defined and option.notify_source -}}
-{{ functions.single_ip_port_dscp('notify-source-v6', option.notify_source_v6) if option.notify_source_v6 is defined and option.notify_source_v6 -}}
-{% if option.also_notify is defined and option.also_notify is not string %}
+
+{% elif key in ['transfer_source', 'transfer_source_v6', 'alt_transfer_source', 'alt_transfer_source_v6', 'query_source', 'query_source_v6', 'parental_source', 'parental_source_v6', 'notify_source', 'notify_source_v6'] %}
+{{ functions.single_ip_port_dscp(conf_key, value) -}}
+
+{% elif key == 'also_notify' and value is not string %}
 also-notify
-{{- (' port ' + option.also_notify.port | string) if option.also_notify.port is defined and option.also_notify.port -}}
-{{- (' dscp ' + option.also_notify.dscp | string) if option.also_notify.dscp is defined and option.also_notify.dscp }} {
-{{ functions.list_address_port_key_tls(option.also_notify.addresses) }}};
-{% endif %}
-{% if option.allow_transfer is defined and option.allow_transfer is not string %}
+{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
+{{- (' dscp ' + value.dscp | string) if value.dscp is defined and value.dscp }} {
+{{ functions.list_address_port_key_tls(value.addresses) }}};
+
+{% elif key == 'allow_transfer' and value is not string %}
 allow-transfer
-{{- (' port ' + option.allow_transfer.port | string) if option.allow_transfer.port is defined and option.allow_transfer.port -}}
-{{- (' transport ' + option.allow_transfer.transport) if option.allow_transfer.transport is defined and option.allow_transfer.transport }} {
-{{ functions.simple_item_list(option.allow_transfer.addresses) }}};
-{% endif %}
-{# The rest #}
-{% if option.disable_algorithms is defined and option.disable_algorithms %}
-{% for item in option.disable_algorithms %}
+{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
+{{- (' transport ' + value.transport) if value.transport is defined and value.transport }} {
+{{ functions.simple_item_list(value.addresses) }}};
+
+{% elif key == 'disable_algorithms' %}
+{% for item in value %}
 disable-algorithms {{ item.domain }} { "{{ item.algorithms | join('"; "') }}"; };
 {% endfor %}
-{% endif %}
-{% if option.disable_ds_digests is defined and option.disable_ds_digests %}
-{% for item in option.disable_ds_digests %}
+
+{% elif key == 'disable_ds_digests' %}
+{% for item in value %}
 disable-ds-digests {{ item.domain }} { "{{ item.digests | join('"; "') }}"; };
 {% endfor %}
-{% endif %}
-{# Oddball simple options #}
-{% if option.fetch_quota_params is defined and option.fetch_quota_params is string %}
-fetch-quota-params {{ option.fetch_quota_params }};
-{% endif %}
-{% if option.fetches_per_server is defined and option.fetches_per_server is string %}
-fetches-per-server {{ option.fetches_per_server }};
-{% endif %}
-{% if option.fetches_per_zone is defined and option.fetches_per_zone is string %}
-fetches-per-zone {{ option.fetches_per_zone }};
-{% endif %}
-{% if option.prefetch is defined and option.prefetch %}
-prefetch {{ option.prefetch }};
-{% endif %}
-{% if option.root_delegation_only is defined and option.root_delegation_only %}
-root-delegation-only{% if option.root_delegation_only.exclude is defined and option.root_delegation_only.exclude is sequence %} exclude {
-{{ functions.simple_item_list(options.root_delegation_only.exclude) }}}
+
+{% elif key == 'root_delegation_only' %}
+root-delegation-only{% if value.exclude is defined and value.exclude is sequence %} exclude {
+{{ functions.simple_item_list(value.exclude) }}}
 {% endif %};
+
+{% elif key == 'tkey_dhkey' %}
+tkey-dhkey "{{ value.key_name }}" {{ value.key_tag }};
+
+{# --- SPECIAL QUOTED STRINGS --- #}
+{% elif key in ['dnstap_identity', 'server_id'] %}
+{{ functions.reserved_or_quoted(conf_key, value, ['none', 'hostname']) -}}
+
+{% elif key in ['dnstap_version', 'geoip_directory', 'hostname', 'lock_file', 'pid_file', 'random_device', 'session_keyfile', 'version'] %}
+{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}
+
+{# --- DEPRECATED/OBSOLETE --- #}
+{% elif key == 'tkey_domain' %}
+{# Obsolete in 9.20 #}
+/* WARN: tkey-domain is obsolete in BIND 9.20 */
+{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}
+
+{% elif key == 'tkey_gssapi_credential' %}
+{# Deprecated in 9.20 #}
+/* WARN: tkey-gssapi-credential is deprecated in BIND 9.20; use tkey-gssapi-keytab */
+{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}
+
+{# --- SIMPLE LISTS --- #}
+{% elif key in ['allow_notify', 'allow_query', 'allow_query_cache', 'allow_query_cache_on', 'allow_query_on', 'allow_recursion', 'allow_recursion_on', 'allow_update', 'allow_update_forwarding', 'blackhole', 'keep_response_order', 'no_case_compress', 'sortlist', 'avoid_v4_udp_ports', 'avoid_v6_udp_ports', 'use_v4_udp_ports', 'use_v6_udp_ports', 'validate_except'] %}
+{{ conf_key }} {
+{{ functions.simple_item_list(value) }}};
+
+{# --- QUOTED STRINGS --- #}
+{% elif key in ['bindkeys_file', 'directory', 'dump_file', 'key_directory', 'managed_keys_directory', 'memstatistics_file', 'new_zones_directory', 'recursing_file', 'secroots_file', 'statistics_file', 'tkey_gssapi_keytab'] %}
+{{ conf_key }} "{{ value }}";
+
+{# --- BOOLEANS --- #}
+{% elif key in ['allow_new_zones', 'answer_cookie', 'auth_nxdomain', 'automatic_interface_scan', 'check_integrity', 'check_sibling', 'check_wildcard', 'dnsrps_enable', 'dnssec_accept_expired', 'dnssec_dnskey_kskonly', 'dnssec_secure_to_insecure', 'empty_zones_enable', 'flush_zones_on_shutdown', 'glue_cache', 'ipv4only_enable', 'match_mapped_addresses', 'memstatistics', 'message_compression', 'minimal_any', 'multi_master', 'notify_to_soa', 'provide_ixfr', 'querylog', 'recursion', 'request_expire', 'request_ixfr', 'request_nsid', 'require_server_cookie', 'reuseport', 'root_key_sentinel', 'send_cookie', 'stale_answer_enable', 'stale_cache_enable', 'synth_from_dnssec', 'trust_anchor_telemetry', 'try_tcp_refresh', 'update_check_ksk', 'use_alt_transfer_source', 'zero_no_soa_ttl', 'zero_no_soa_ttl_cache'] %}
+{{ functions.boolean_option(conf_key, value) }}
+
+{# --- BOOLEAN OR STRING --- #}
+{% elif key in ['dialup', 'ixfr_from_differences', 'minimal_responses', 'notify', 'zone_statistics', 'dnssec_validation'] %}
+{{ conf_key }} {{ functions.boolean_or_string(value) }};
+
+{# --- FALLTHROUGH --- #}
+{% else %}
+{# Strict mode: Ignore unknown keys or warn if possible. For now, silence is safer than invalid config. #}
 {% endif %}
-{% if option.sig_validity_interval is defined and option.sig_validity_interval %}
-sig-validity-interval {{ option.sig_validity_interval }};
-{% endif %}
-{% if option.tkey_dhkey is defined and option.tkey_dhkey is mapping %}
-tkey-dhkey "{{ option.tkey_dhkey.key_name }}" {{ option.tkey_dhkey.key_tag }};
-{% endif %}
-{# special_quoted_string options with reserved keywords #}
-{% if option.dnstap_identity is defined and option.dnstap_identity is string %}
-{{ functions.reserved_or_quoted('dnstap-identity', option.dnstap_identity, ['none', 'hostname']) -}}
-{% endif %}
-{% if option.dnstap_version is defined and option.dnstap_version is string %}
-{{ functions.reserved_or_quoted('dnstap-version', option.dnstap_version, ['none']) -}}
-{% endif %}
-{% if option.geoip_directory is defined and option.geoip_directory is string %}
-{{ functions.reserved_or_quoted('geoip-directory', option.geoip_directory, ['none']) -}}
-{% endif %}
-{% if option.hostname is defined and option.hostname is string %}
-{{ functions.reserved_or_quoted('hostname', option.hostname, ['none']) -}} 
-{% endif %}
-{% if option.lock_file is defined and option.lock_file is string %}
-{{ functions.reserved_or_quoted('lock-file', option.lock_file, ['none']) -}}
-{% endif %}
-{% if option.pid_file is defined and option.pid_file is string %}
-{{ functions.reserved_or_quoted('pid-file', option.pid_file, ['none']) -}}
-{% endif %}
-{% if option.random_device is defined and option.random_device is string %}
-{{ functions.reserved_or_quoted('random-device', option.random_device, ['none']) -}}
-{% endif %}
-{% if option.server_id is defined and option.server_id is string %}
-{{ functions.reserved_or_quoted('server-id', option.server_id, ['none', 'hostname']) -}}
-{% endif %}
-{% if option.session_keyfile is defined and option.session_keyfile is string %}
-{{ functions.reserved_or_quoted('session-keyfile', option.session_keyfile, ['none']) -}}
-{% endif %}
-{% if option.version is defined and option.version is string %}
-{{ functions.reserved_or_quoted('version', option.version, ['none']) -}}
-{% endif %}
-{# simple list options #}
-{{ ('avoid-v4-udp-ports {\n' + functions.simple_item_list(option.avoid_v4_udp_ports) + '};\n') if option.avoid_v4_udp_ports is defined and option.avoid_v4_udp_ports -}}
-{{ ('avoid-v6-udp-ports {\n' + functions.simple_item_list(option.avoid_v6_udp_ports) + '};\n') if option.avoid_v6_udp_ports is defined and option.avoid_v6_udp_ports -}}
-{{ ('use-v4-udp-ports {\n' + functions.simple_item_list(option.use_v4_udp_ports) + '};\n') if option.use_v4_udp_ports is defined and option.use_v4_udp_ports -}}
-{{ ('use-v6-udp-ports {\n' + functions.simple_item_list(option.use_v6_udp_ports) + '};\n') if option.use_v6_udp_ports is defined and option.use_v6_udp_ports -}}
-{{ ('validate-except {\n' + functions.simple_item_list(option.validate_except) + '};\n') if option.validate_except is defined and option.validate_except -}}
-{# boolean_or_string options #}
-{{ ('dialup ' + functions.boolean_or_string(option.dialup) + ';\n') if option.dialup is defined -}}
-{{ ('ixfr-from-differences ' + functions.boolean_or_string(option.ixfr_from_differences) + ';\n') if option.ixfr_from_differences is defined -}}
-{{ ('minimal-responses ' + functions.boolean_or_string(option.minimal_responses) + ';\n') if option.minimal_responses is defined -}}
-{{ ('notify ' + functions.boolean_or_string(option.notify) + ';\n') if option.notify is defined -}}
-{{ ('zone-statistics ' + functions.boolean_or_string(option.zone_statistics) + ';\n') if option.zone_statistics is defined -}}
-{# duration_sizeval options #}
-{{ ('fstrm-set-reopen-interval ' + option.fstrm_set_reopen_interval | string +';\n') if option.fstrm_set_reopen_interval is defined and option.fstrm_set_reopen_interval -}}
-{{ ('interface-interval ' + option.interface_interval | string +';\n') if option.interface_interval is defined and option.interface_interval -}}
-{{ ('lame-ttl ' + option.lame_ttl | string +';\n') if option.lame_ttl is defined and option.lame_ttl -}}
-{{ ('lmdb-mapsize ' + option.lmdb_mapsize | string +';\n') if option.lmdb_mapsize is defined and option.lmdb_mapsize -}}
-{{ ('max-cache-ttl ' + option.max_cache_ttl | string +';\n') if option.max_cache_ttl is defined and option.max_cache_ttl -}}
-{{ ('max-ncache-ttl ' + option.max_ncache_ttl | string +';\n') if option.max_ncache_ttl is defined and option.max_ncache_ttl -}}
-{{ ('max-stale-ttl ' + option.max_stale_ttl | string +';\n') if option.max_stale_ttl is defined and option.max_stale_ttl -}}
-{{ ('min-cache-ttl ' + option.min_cache_ttl | string +';\n') if option.min_cache_ttl is defined and option.min_cache_ttl -}}
-{{ ('min-ncache-ttl ' + option.min_ncache_ttl | string +';\n') if option.min_ncache_ttl is defined and option.min_ncache_ttl -}}
-{{ ('nta-lifetime ' + option.nta_lifetime | string +';\n') if option.nta_lifetime is defined and option.nta_lifetime -}}
-{{ ('nta-recheck ' + option.nta_recheck | string +';\n') if option.nta_recheck is defined and option.nta_recheck -}}
-{{ ('servfail-ttl ' + option.servfail_ttl | string +';\n') if option.servfail_ttl is defined and option.servfail_ttl -}}
-{{ ('stale-answer-ttl ' + option.stale_answer_ttl | string +';\n') if option.stale_answer_ttl is defined and option.stale_answer_ttl -}}
-{{ ('stale-refresh-time ' + option.stale_refresh_time | string +';\n') if option.stale_refresh_time is defined and option.stale_refresh_time -}}
-{# special options options #}
-{{ ('auto-dnssec ' + option.auto_dnssec | string +';\n') if option.auto_dnssec is defined and option.auto_dnssec -}}
-{{ ('check-dup-records ' + option.check_dup_records | string +';\n') if option.check_dup_records is defined and option.check_dup_records -}}
-{{ ('check-mx ' + option.check_mx | string +';\n') if option.check_mx is defined and option.check_mx -}}
-{{ ('check-mx-cname ' + option.check_mx_cname | string +';\n') if option.check_mx_cname is defined and option.check_mx_cname -}}
-{{ ('check-spf ' + option.check_spf | string +';\n') if option.check_spf is defined and option.check_spf -}}
-{{ ('check-srv-cname ' + option.check_srv_cname | string +';\n') if option.check_srv_cname is defined and option.check_srv_cname -}}
-{{ ('cookie-algorithm ' + option.cookie_algorithm | string +';\n') if option.cookie_algorithm is defined and option.cookie_algorithm -}}
-{{ ('coresize ' + option.coresize | string +';\n') if option.coresize is defined and option.coresize -}}
-{{ ('datasize ' + option.datasize | string +';\n') if option.datasize is defined and option.datasize -}}
-{{ ('dnssec-update-mode ' + option.dnssec_update_mode | string +';\n') if option.dnssec_update_mode is defined and option.dnssec_update_mode -}}
-{{ ('dnssec-validation ' + option.dnssec_validation | string +';\n') if option.dnssec_validation is defined and option.dnssec_validation -}}
-{{ ('files ' + option.files | string +';\n') if option.files is defined and option.files -}}
-{{ ('forward ' + option.forward | string +';\n') if option.forward is defined and option.forward -}}
-{{ ('fstrm-set-output-queue-model ' + option.fstrm_set_output_queue_model | string +';\n') if option.fstrm_set_output_queue_model is defined and option.fstrm_set_output_queue_model -}}
-{{ ('masterfile-format ' + option.masterfile_format | string +';\n') if option.masterfile_format is defined and option.masterfile_format -}}
-{{ ('masterfile-style ' + option.masterfile_style | string +';\n') if option.masterfile_style is defined and option.masterfile_style -}}
-{{ ('max-cache-size ' + option.max_cache_size | string +';\n') if option.max_cache_size is defined and option.max_cache_size -}}
-{{ ('max-ixfr-ratio ' + option.max_ixfr_ratio | string +';\n') if option.max_ixfr_ratio is defined and option.max_ixfr_ratio -}}
-{{ ('max-journal-size ' + option.max_journal_size | string +';\n') if option.max_journal_size is defined and option.max_journal_size -}}
-{{ ('max-zone-ttl ' + option.max_zone_ttl | string +';\n') if option.max_zone_ttl is defined and option.max_zone_ttl -}}
-{{ ('qname-minimization ' + option.qname_minimization | string +';\n') if option.qname_minimization is defined and option.qname_minimization -}}
-{{ ('serial-update-method ' + option.serial_update_method | string +';\n') if option.serial_update_method is defined and option.serial_update_method -}}
-{{ ('stacksize ' + option.stacksize | string +';\n') if option.stacksize is defined and option.stacksize -}}
-{{ ('stale-answer-client-timeout ' + option.stale_answer_client_timeout | string +';\n') if option.stale_answer_client_timeout is defined and option.stale_answer_client_timeout -}}
-{{ ('transfer-format ' + option.transfer_format | string +';\n') if option.transfer_format is defined and option.transfer_format -}}
-{# quoted_string options #}
-{{ ('bindkeys-file "' + option.bindkeys_file | string +'";\n') if option.bindkeys_file is defined and option.bindkeys_file -}}
-{{ ('directory "' + option.directory | string +'";\n') if option.directory is defined and option.directory -}}
-{{ ('dump-file "' + option.dump_file | string +'";\n') if option.dump_file is defined and option.dump_file -}}
-{{ ('key-directory "' + option.key_directory | string +'";\n') if option.key_directory is defined and option.key_directory -}}
-{{ ('managed-keys-directory "' + option.managed_keys_directory | string +'";\n') if option.managed_keys_directory is defined and option.managed_keys_directory -}}
-{{ ('memstatistics-file "' + option.memstatistics_file | string +'";\n') if option.memstatistics_file is defined and option.memstatistics_file -}}
-{{ ('new-zones-directory "' + option.new_zones_directory | string +'";\n') if option.new_zones_directory is defined and option.new_zones_directory -}}
-{{ ('recursing-file "' + option.recursing_file | string +'";\n') if option.recursing_file is defined and option.recursing_file -}}
-{{ ('secroots-file "' + option.secroots_file | string +'";\n') if option.secroots_file is defined and option.secroots_file -}}
-{{ ('statistics-file "' + option.statistics_file | string +'";\n') if option.statistics_file is defined and option.statistics_file -}}
-{{ ('tkey-domain "' + option.tkey_domain | string +'";\n') if option.tkey_domain is defined and option.tkey_domain -}}
-{{ ('tkey-gssapi-credential "' + option.tkey_gssapi_credential | string +'";\n') if option.tkey_gssapi_credential is defined and option.tkey_gssapi_credential -}}
-{{ ('tkey-gssapi-keytab "' + option.tkey_gssapi_keytab | string +'";\n') if option.tkey_gssapi_keytab is defined and option.tkey_gssapi_keytab -}}
-{# simple_item_list options #}
-{{ ('allow-notify {\n' + functions.simple_item_list(option.allow_notify) + '};\n') if option.allow_notify is defined and option.allow_notify -}}
-{{ ('allow-query {\n' + functions.simple_item_list(option.allow_query) + '};\n') if option.allow_query is defined and option.allow_query -}}
-{{ ('allow-query-cache {\n' + functions.simple_item_list(option.allow_query_cache) + '};\n') if option.allow_query_cache is defined and option.allow_query_cache -}}
-{{ ('allow-query-cache-on {\n' + functions.simple_item_list(option.allow_query_cache_on) + '};\n') if option.allow_query_cache_on is defined and option.allow_query_cache_on -}}
-{{ ('allow-query-on {\n' + functions.simple_item_list(option.allow_query_on) + '};\n') if option.allow_query_on is defined and option.allow_query_on -}}
-{{ ('allow-recursion {\n' + functions.simple_item_list(option.allow_recursion) + '};\n') if option.allow_recursion is defined and option.allow_recursion -}}
-{{ ('allow-recursion-on {\n' + functions.simple_item_list(option.allow_recursion_on) + '};\n') if option.allow_recursion_on is defined and option.allow_recursion_on -}}
-{{ ('allow-update {\n' + functions.simple_item_list(option.allow_update) + '};\n') if option.allow_update is defined and option.allow_update -}}
-{{ ('allow-update-forwarding {\n' + functions.simple_item_list(option.allow_update_forwarding) + '};\n') if option.allow_update_forwarding is defined and option.allow_update_forwarding -}}
-{{ ('blackhole {\n' + functions.simple_item_list(option.blackhole) + '};\n') if option.blackhole is defined and option.blackhole -}}
-{{ ('keep-response-order {\n' + functions.simple_item_list(option.keep_response_order) + '};\n') if option.keep_response_order is defined and option.keep_response_order -}}
-{{ ('no-case-compress {\n' + functions.simple_item_list(option.no_case_compress) + '};\n') if option.no_case_compress is defined and option.no_case_compress -}}
-{{ ('sortlist {\n' + functions.simple_item_list(option.sortlist) + '};\n') if option.sortlist is defined and option.sortlist -}}
-{# String options #}
-{{ ('attach-cache ' + option.attach_cache | string +';\n') if option.attach_cache is defined and option.attach_cache -}}
-{{ ('cookie-secret ' + option.cookie_secret | string +';\n') if option.cookie_secret is defined and option.cookie_secret -}}
-{{ ('disable-empty-zone ' + option.disable_empty_zone | string +';\n') if option.disable_empty_zone is defined and option.disable_empty_zone -}}
-{{ ('dns64-contact ' + option.dns64_contact | string +';\n') if option.dns64_contact is defined and option.dns64_contact -}}
-{{ ('dns64-server ' + option.dns64_server | string +';\n') if option.dns64_server is defined and option.dns64_server -}}
-{{ ('dnssec-policy ' + option.dnssec_policy | string +';\n') if option.dnssec_policy is defined and option.dnssec_policy -}}
-{{ ('empty-contact ' + option.empty_contact | string +';\n') if option.empty_contact is defined and option.empty_contact -}}
-{{ ('empty-server ' + option.empty_server | string +';\n') if option.empty_server is defined and option.empty_server -}}
-{{ ('ipv4only-contact ' + option.ipv4only_contact | string +';\n') if option.ipv4only_contact is defined and option.ipv4only_contact -}}
-{{ ('ipv4only-server ' + option.ipv4only_server | string +';\n') if option.ipv4only_server is defined and option.ipv4only_server -}}
-{{ ('nxdomain-redirect ' + option.nxdomain_redirect | string +';\n') if option.nxdomain_redirect is defined and option.nxdomain_redirect -}}
-{{ ('preferred-glue ' + option.preferred_glue | string +';\n') if option.preferred_glue is defined and option.preferred_glue -}}
-{{ ('session-keyalg ' + option.session_keyalg | string +';\n') if option.session_keyalg is defined and option.session_keyalg -}}
-{{ ('session-keyname ' + option.session_keyname | string +';\n') if option.session_keyname is defined and option.session_keyname -}}
-{# Integer options #}
-{{ ('clients-per-query ' + option.clients_per_query | string +';\n') if option.clients_per_query is defined and option.clients_per_query -}}
-{{ ('dnskey-sig-validity ' + option.dnskey_sig_validity | string +';\n') if option.dnskey_sig_validity is defined and option.dnskey_sig_validity -}}
-{{ ('dnssec-loadkeys-interval ' + option.dnssec_loadkeys_interval | string +';\n') if option.dnssec_loadkeys_interval is defined and option.dnssec_loadkeys_interval -}}
-{{ ('dscp ' + option.dscp | string +';\n') if option.dscp is defined and option.dscp -}}
-{{ ('edns-udp-size ' + option.edns_udp_size | string +';\n') if option.edns_udp_size is defined and option.edns_udp_size -}}
-{{ ('fstrm-set-buffer-hint ' + option.fstrm_set_buffer_hint | string +';\n') if option.fstrm_set_buffer_hint is defined and option.fstrm_set_buffer_hint -}}
-{{ ('fstrm-set-flush-timeout ' + option.fstrm_set_flush_timeout | string +';\n') if option.fstrm_set_flush_timeout is defined and option.fstrm_set_flush_timeout -}}
-{{ ('fstrm-set-input-queue-size ' + option.fstrm_set_input_queue_size | string +';\n') if option.fstrm_set_input_queue_size is defined and option.fstrm_set_input_queue_size -}}
-{{ ('fstrm-set-output-notify-threshold ' + option.fstrm_set_output_notify_threshold | string +';\n') if option.fstrm_set_output_notify_threshold is defined and option.fstrm_set_output_notify_threshold -}}
-{{ ('fstrm-set-output-queue-size ' + option.fstrm_set_output_queue_size | string +';\n') if option.fstrm_set_output_queue_size is defined and option.fstrm_set_output_queue_size -}}
-{{ ('heartbeat-interval ' + option.heartbeat_interval | string +';\n') if option.heartbeat_interval is defined and option.heartbeat_interval -}}
-{{ ('http-listener-clients ' + option.http_listener_clients | string +';\n') if option.http_listener_clients is defined and option.http_listener_clients -}}
-{{ ('http-port ' + option.http_port | string +';\n') if option.http_port is defined and option.http_port -}}
-{{ ('http-streams-per-connection ' + option.http_streams_per_connection | string +';\n') if option.http_streams_per_connection is defined and option.http_streams_per_connection -}}
-{{ ('https-port ' + option.https_port | string +';\n') if option.https_port is defined and option.https_port -}}
-{{ ('max-clients-per-query ' + option.max_clients_per_query | string +';\n') if option.max_clients_per_query is defined and option.max_clients_per_query -}}
-{{ ('max-records ' + option.max_records | string +';\n') if option.max_records is defined and option.max_records -}}
-{{ ('max-recursion-depth ' + option.max_recursion_depth | string +';\n') if option.max_recursion_depth is defined and option.max_recursion_depth -}}
-{{ ('max-recursion-queries ' + option.max_recursion_queries | string +';\n') if option.max_recursion_queries is defined and option.max_recursion_queries -}}
-{{ ('max-refresh-time ' + option.max_refresh_time | string +';\n') if option.max_refresh_time is defined and option.max_refresh_time -}}
-{{ ('max-retry-time ' + option.max_retry_time | string +';\n') if option.max_retry_time is defined and option.max_retry_time -}}
-{{ ('max-rsa-exponent-size ' + option.max_rsa_exponent_size | string +';\n') if option.max_rsa_exponent_size is defined and option.max_rsa_exponent_size -}}
-{{ ('max-transfer-idle-in ' + option.max_transfer_idle_in | string +';\n') if option.max_transfer_idle_in is defined and option.max_transfer_idle_in -}}
-{{ ('max-transfer-idle-out ' + option.max_transfer_idle_out | string +';\n') if option.max_transfer_idle_out is defined and option.max_transfer_idle_out -}}
-{{ ('max-transfer-time-in ' + option.max_transfer_time_in | string +';\n') if option.max_transfer_time_in is defined and option.max_transfer_time_in -}}
-{{ ('max-transfer-time-out ' + option.max_transfer_time_out | string +';\n') if option.max_transfer_time_out is defined and option.max_transfer_time_out -}}
-{{ ('max-udp-size ' + option.max_udp_size | string +';\n') if option.max_udp_size is defined and option.max_udp_size -}}
-{{ ('min-refresh-time ' + option.min_refresh_time | string +';\n') if option.min_refresh_time is defined and option.min_refresh_time -}}
-{{ ('min-retry-time ' + option.min_retry_time | string +';\n') if option.min_retry_time is defined and option.min_retry_time -}}
-{{ ('nocookie-udp-size ' + option.nocookie_udp_size | string +';\n') if option.nocookie_udp_size is defined and option.nocookie_udp_size -}}
-{{ ('notify-delay ' + option.notify_delay | string +';\n') if option.notify_delay is defined and option.notify_delay -}}
-{{ ('notify-rate ' + option.notify_rate | string +';\n') if option.notify_rate is defined and option.notify_rate -}}
-{{ ('port ' + option.port | string +';\n') if option.port is defined and option.port -}}
-{{ ('recursive-clients ' + option.recursive_clients | string +';\n') if option.recursive_clients is defined and option.recursive_clients -}}
-{{ ('resolver-nonbackoff-tries ' + option.resolver_nonbackoff_tries | string +';\n') if option.resolver_nonbackoff_tries is defined and option.resolver_nonbackoff_tries -}}
-{{ ('resolver-query-timeout ' + option.resolver_query_timeout | string +';\n') if option.resolver_query_timeout is defined and option.resolver_query_timeout -}}
-{{ ('resolver-retry-interval ' + option.resolver_retry_interval | string +';\n') if option.resolver_retry_interval is defined and option.resolver_retry_interval -}}
-{{ ('serial-query-rate ' + option.serial_query_rate | string +';\n') if option.serial_query_rate is defined and option.serial_query_rate -}}
-{{ ('sig-signing-nodes ' + option.sig_signing_nodes | string +';\n') if option.sig_signing_nodes is defined and option.sig_signing_nodes -}}
-{{ ('sig-signing-signatures ' + option.sig_signing_signatures | string +';\n') if option.sig_signing_signatures is defined and option.sig_signing_signatures -}}
-{{ ('sig-signing-type ' + option.sig_signing_type | string +';\n') if option.sig_signing_type is defined and option.sig_signing_type -}}
-{{ ('startup-notify-rate ' + option.startup_notify_rate | string +';\n') if option.startup_notify_rate is defined and option.startup_notify_rate -}}
-{{ ('tcp-advertised-timeout ' + option.tcp_advertised_timeout | string +';\n') if option.tcp_advertised_timeout is defined and option.tcp_advertised_timeout -}}
-{{ ('tcp-clients ' + option.tcp_clients | string +';\n') if option.tcp_clients is defined and option.tcp_clients -}}
-{{ ('tcp-idle-timeout ' + option.tcp_idle_timeout | string +';\n') if option.tcp_idle_timeout is defined and option.tcp_idle_timeout -}}
-{{ ('tcp-initial-timeout ' + option.tcp_initial_timeout | string +';\n') if option.tcp_initial_timeout is defined and option.tcp_initial_timeout -}}
-{{ ('tcp-keepalive-timeout ' + option.tcp_keepalive_timeout | string +';\n') if option.tcp_keepalive_timeout is defined and option.tcp_keepalive_timeout -}}
-{{ ('tcp-listen-queue ' + option.tcp_listen_queue | string +';\n') if option.tcp_listen_queue is defined and option.tcp_listen_queue -}}
-{{ ('tcp-receive-buffer ' + option.tcp_receive_buffer | string +';\n') if option.tcp_receive_buffer is defined and option.tcp_receive_buffer -}}
-{{ ('tcp-send-buffer ' + option.tcp_send_buffer | string +';\n') if option.tcp_send_buffer is defined and option.tcp_send_buffer -}}
-{{ ('tls-port ' + option.tls_port | string +';\n') if option.tls_port is defined and option.tls_port -}}
-{{ ('transfer-message-size ' + option.transfer_message_size | string +';\n') if option.transfer_message_size is defined and option.transfer_message_size -}}
-{{ ('transfers-in ' + option.transfers_in | string +';\n') if option.transfers_in is defined and option.transfers_in -}}
-{{ ('transfers-out ' + option.transfers_out | string +';\n') if option.transfers_out is defined and option.transfers_out -}}
-{{ ('transfers-per-ns ' + option.transfers_per_ns | string +';\n') if option.transfers_per_ns is defined and option.transfers_per_ns -}}
-{{ ('udp-receive-buffer ' + option.udp_receive_buffer | string +';\n') if option.udp_receive_buffer is defined and option.udp_receive_buffer -}}
-{{ ('udp-send-buffer ' + option.udp_send_buffer | string +';\n') if option.udp_send_buffer is defined and option.udp_send_buffer -}}
-{{ ('v6-bias ' + option.v6_bias | string +';\n') if option.v6_bias is defined and option.v6_bias -}}
-{# Boolean options #}
-{{ (functions.boolean_option('allow-new-zones', option.allow_new_zones) + '\n') if option.allow_new_zones is defined -}}
-{{ (functions.boolean_option('answer-cookie', option.answer_cookie) + '\n') if option.answer_cookie is defined -}}
-{{ (functions.boolean_option('auth-nxdomain', option.auth_nxdomain) + '\n') if option.auth_nxdomain is defined -}}
-{{ (functions.boolean_option('automatic-interface-scan', option.automatic_interface_scan) + '\n') if option.automatic_interface_scan is defined -}}
-{{ (functions.boolean_option('check-integrity', option.check_integrity) + '\n') if option.check_integrity is defined -}}
-{{ (functions.boolean_option('check-sibling', option.check_sibling) + '\n') if option.check_sibling is defined -}}
-{{ (functions.boolean_option('check-wildcard', option.check_wildcard) + '\n') if option.check_wildcard is defined -}}
-{{ (functions.boolean_option('dnsrps-enable', option.dnsrps_enable) + '\n') if option.dnsrps_enable is defined -}}
-{{ (functions.boolean_option('dnssec-accept-expired', option.dnssec_accept_expired) + '\n') if option.dnssec_accept_expired is defined -}}
-{{ (functions.boolean_option('dnssec-dnskey-kskonly', option.dnssec_dnskey_kskonly) + '\n') if option.dnssec_dnskey_kskonly is defined -}}
-{{ (functions.boolean_option('dnssec-secure-to-insecure', option.dnssec_secure_to_insecure) + '\n') if option.dnssec_secure_to_insecure is defined -}}
-{{ (functions.boolean_option('empty-zones-enable', option.empty_zones_enable) + '\n') if option.empty_zones_enable is defined -}}
-{{ (functions.boolean_option('flush-zones-on-shutdown', option.flush_zones_on_shutdown) + '\n') if option.flush_zones_on_shutdown is defined -}}
-{{ (functions.boolean_option('glue-cache', option.glue_cache) + '\n') if option.glue_cache is defined -}}
-{{ (functions.boolean_option('ipv4only-enable', option.ipv4only_enable) + '\n') if option.ipv4only_enable is defined -}}
-{{ (functions.boolean_option('match-mapped-addresses', option.match_mapped_addresses) + '\n') if option.match_mapped_addresses is defined -}}
-{{ (functions.boolean_option('memstatistics', option.memstatistics) + '\n') if option.memstatistics is defined -}}
-{{ (functions.boolean_option('message-compression', option.message_compression) + '\n') if option.message_compression is defined -}}
-{{ (functions.boolean_option('minimal-any', option.minimal_any) + '\n') if option.minimal_any is defined -}}
-{{ (functions.boolean_option('multi-master', option.multi_master) + '\n') if option.multi_master is defined -}}
-{{ (functions.boolean_option('notify-to-soa', option.notify_to_soa) + '\n') if option.notify_to_soa is defined -}}
-{{ (functions.boolean_option('provide-ixfr', option.provide_ixfr) + '\n') if option.provide_ixfr is defined -}}
-{{ (functions.boolean_option('querylog', option.querylog) + '\n') if option.querylog is defined -}}
-{{ (functions.boolean_option('recursion', option.recursion) + '\n') if option.recursion is defined -}}
-{{ (functions.boolean_option('request-expire', option.request_expire) + '\n') if option.request_expire is defined -}}
-{{ (functions.boolean_option('request-ixfr', option.request_ixfr) + '\n') if option.request_ixfr is defined -}}
-{{ (functions.boolean_option('request-nsid', option.request_nsid) + '\n') if option.request_nsid is defined -}}
-{{ (functions.boolean_option('require-server-cookie', option.require_server_cookie) + '\n') if option.require_server_cookie is defined -}}
-{{ (functions.boolean_option('reuseport', option.reuseport) + '\n') if option.reuseport is defined -}}
-{{ (functions.boolean_option('root-key-sentinel', option.root_key_sentinel) + '\n') if option.root_key_sentinel is defined -}}
-{{ (functions.boolean_option('send-cookie', option.send_cookie) + '\n') if option.send_cookie is defined -}}
-{{ (functions.boolean_option('stale-answer-enable', option.stale_answer_enable) + '\n') if option.stale_answer_enable is defined -}}
-{{ (functions.boolean_option('stale-cache-enable', option.stale_cache_enable) + '\n') if option.stale_cache_enable is defined -}}
-{{ (functions.boolean_option('synth-from-dnssec', option.synth_from_dnssec) + '\n') if option.synth_from_dnssec is defined -}}
-{{ (functions.boolean_option('trust-anchor-telemetry', option.trust_anchor_telemetry) + '\n') if option.trust_anchor_telemetry is defined -}}
-{{ (functions.boolean_option('try-tcp-refresh', option.try_tcp_refresh) + '\n') if option.try_tcp_refresh is defined -}}
-{{ (functions.boolean_option('update-check-ksk', option.update_check_ksk) + '\n') if option.update_check_ksk is defined -}}
-{{ (functions.boolean_option('use-alt-transfer-source', option.use_alt_transfer_source) + '\n') if option.use_alt_transfer_source is defined -}}
-{{ (functions.boolean_option('zero-no-soa-ttl', option.zero_no_soa_ttl) + '\n') if option.zero_no_soa_ttl is defined -}}
-{{ (functions.boolean_option('zero-no-soa-ttl-cache', option.zero_no_soa_ttl_cache) + '\n') if option.zero_no_soa_ttl_cache is defined -}}
-{% endmacro %}
+
+{% endfor %}
+{% endfilter %}
+};

templates/named.conf.parental-agents.j2

@@ -1,10 +1,8 @@
-{% macro parental_agents(parental_agents) %}
-{% for agent in parental_agents if parental_agents is iterable %}
+{% for agent in item.parental_agents if item.parental_agents is iterable %}
+
 parental-agents {{ agent.name -}}
 {{ (' port ' + agent.port | string) if agent.port is defined and agent.port -}}
 {{ (' dscp ' + agent.dscp | string) if agent.dscp is defined and agent.dscp }} {
-{% filter indent(2, true) %}
-{{ functions.list_address_port_key_tls(agent.addresses) -}}
-{% endfilter %}};
+{{ functions.list_address_port_key_tls(agent.addresses) -}}};
+
 {% endfor %}
-{% endmacro %}

templates/named.conf.primaries.j2

@@ -1,8 +1,7 @@
-{% macro primaries(primaries) %}
-{% for primary in primaries if primaries is iterable %}
+{% for primary in item.primaries if item.primaries is iterable %}
+
 primaries {{ primary.name -}}
 {{ (' port ' + primary.port | string) if primary.port is defined and primary.port -}}
 {{ (' dscp ' + primary.dscp | string) if primary.dscp is defined and primary.dscp }} {
 {{ functions.list_address_port_key_tls(primary.addresses) -}}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.remote-servers.j2

@@ -0,0 +1,20 @@
+{% for server in item.remote_servers %}
+remote-servers "{{ server.name }}" {
+{% filter indent(bind9_config_indent, true) %}
+{% for key, value in server.items() %}
+{% if key != 'name' %}
+{# Handle known complex types if any, otherwise default to simple string/block #}
+{% if value is iterable and value is not string and value is not mapping %}
+{{ key }} {
+    {% for subitem in value %}
+    {{ subitem }};
+    {% endfor %}
+};
+{% else %}
+{{ key }} {{ value }};
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfilter %}
+};
+{% endfor %}

templates/named.conf.server.j2

@@ -1,7 +1,7 @@
-{% macro server(servers) %}
-{% for server in servers if servers is iterable %}
+{% for server in item.server if item.server is iterable %}
+
 server {{ server.prefix }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if server.transfer_source is defined and server.transfer_source is mapping %}
 transfer-source {{ server.transfer_source.address -}}
 {{- (' port ' + server.transfer_source.port | string) if server.transfer_source.port is defined and server.transfer_source.port -}}
@@ -54,4 +54,3 @@ query-source
 {{ (functions.boolean_option('send-cookie', server.send_cookie) + '\n') if server.send_cookie is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.statistics-channels.j2

@@ -1,10 +1,9 @@
-{% macro statistics_channels(statistics_channels) %}
+
 statistics-channels {
-{% filter indent(2, true) %}
-{% for channel in statistics_channels if statistics_channels is iterable %}
+{% filter indent(bind9_config_indent, true) %}
+{% for channel in item.statistics_channels if item.statistics_channels is iterable %}
 inet {{ channel.address | string }}
 {{- (' port ' + channel.port | string) if channel.port is defined and channel.port -}}
 {{- (' allow {\n' + functions.simple_item_list(channel.allow) + '};\n') if channel.allow is defined and channel.allow -}}
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.tls.j2

@@ -1,7 +1,7 @@
-{% macro tls(tlss) %}
-{% for tls in tlss if tlss is iterable %}
+{% for tls in item.tls if item.tls is iterable %}
+
 tls {{ tls.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('cert-file "' + tls.cert_file + '";\n') if tls.cert_file is defined and tls.cert_file -}}
 {{ ('key-file "' + tls.key_file + '";\n') if tls.key_file is defined and tls.key_file -}}
 {{ ('dhparam-file "' + tls.dhparam_file + '";\n') if tls.dhparam_file is defined and tls.dhparam_file -}}
@@ -13,4 +13,3 @@ tls {{ tls.name }} {
 {{ (functions.boolean_option('session-tickets', tls.session_tickets) + '\n') if tls.session_tickets is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.trust-anchors.j2

@@ -1,7 +1,7 @@
-{% macro trust_anchors(trust_anchors) %}
+
 trust-anchors {
-{% filter indent(2, true) %}
-{% for anchor in trust_anchors if trust_anchors is iterable %}
+{% filter indent(bind9_config_indent, true) %}
+{% for anchor in item.trust_anchors if item.trust_anchors is iterable %}
 {{ (anchor.name | string) -}}
 {{ (' ' + anchor.type) -}}
 {{ (' ' + anchor.flags | string) -}}
@@ -10,4 +10,3 @@ trust-anchors {
 {{ (' "' + anchor.key + '"') -}};
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.view.j2

@@ -1,7 +1,7 @@
-{% macro view(views) %}
-{% for view in views if views is iterable %}
+{% for view in item.view if item.view is iterable %}
+
 view {{ view.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('match-recursive-only ' + functions.named_boolean(view.match_recursive_only) + ';\n') if view.match_recursive_only is defined -}}
 {{ ('match-clients {\n' + functions.simple_item_list(view.match_clients) + '};\n') if view.match_clients is defined and view.match_clients -}}
 {{ ('match-destinations {\n' + functions.simple_item_list(view.match_destinations) + '};\n') if view.match_destinations is defined and view.match_destinations -}}
@@ -75,4 +75,4 @@ view {{ view.name }} {
 {{ trust_anchors(view.trust_anchors) -}}
 {% endif %}
 {% endfilter %}
-};{% endfor %}{% endmacro %}
+};{% endfor %}

templates/named.conf.zone.j2

@@ -1,162 +1,84 @@
-# Zones Macro
-{% macro zones(zones) -%}
-{% for zone in zones %}
+{% for zone in item.zones %}
+
 zone "{{ zone.name }}" {
-{% filter indent(2, true) %}
-# Zone {{ zone.name }} type {{ zone.type }}
-{# Most critical/defining statements first #}
-{{ ('type ' + zone.type | string+';\n') if zone.type is defined and zone.type -}}
-{{ ('file "' + zone.file | string+'";\n') if zone.file is defined and zone.file -}}
-{{ ('forward ' + zone.forward | string+';\n') if zone.forward is defined and zone.forward -}}
-{{ ('journal "' + zone.journal | string+'";\n') if zone.journal is defined and zone.journal -}}
-{{ ('key-directory "' + zone.key_directory | string+'";\n') if zone.key_directory is defined and zone.key_directory -}}
-{# boolean_or_string options #}
-{{ ('dialup ' + functions.boolean_or_string(zone.dialup) + ';\n') if zone.dialup is defined -}}
-{{ ('notify ' + functions.boolean_or_string(zone.notify) + ';\n') if zone.notify is defined -}}
-{{ ('zone-statistics ' + functions.boolean_or_string(zone.zone_statistics) + ';\n') if zone.zone_statistics is defined -}}
-{# upstream_servers options #}
-{{ functions.parent_address_key_tls('also-notify', zone.also_notify) if zone.also_notify is defined and zone.also_notify -}}
-{{ functions.parent_address_key_tls('primaries', zone.primaries) if zone.primaries is defined and zone.primaries -}}
-{{ functions.parent_address_key_tls('parental-agents', zone.parental_agents) if zone.parental_agents is defined and zone.parental_agents -}}
-{# Unicorn Options#}
-{% if zone.update_policy is defined and zone.update_policy %}
-{% if zone.update_policy == 'local' %}
+{% filter indent(bind9_config_indent, true) %}
+{% for key, value in zone.items() %}
+{% set conf_key = key | replace('_', '-') %}
+
+{% if key == 'name' %}
+{# Skip name as it is in the zone header #}
+
+{# --- COMPLEX BLOCKS --- #}
+{% elif key == 'update_policy' %}
+{% if value == 'local' %}
 update-policy local;
 {% else %}
 update-policy {
-{% filter indent(2, true) %}
-{% for policy in zone.update_policy %}
+{% filter indent(bind9_config_indent, true) %}
+{% for policy in value %}
 {{ policy.permission -}}
 {{ ' ' + policy.identity -}}
 {{ ' ' + policy.ruletype -}}
-{{ ' ' + policy.name -}}
+{{ ' ' + policy.name if policy.name is defined -}}
 {{ ' ' + policy.types -}};
 {% endfor %}
 {% endfilter %}};
 {% endif %}
-{% endif %}
-{% if zone.sig_validity_interval is defined and zone.sig_validity_interval %}
+
+{% elif key == 'sig_validity_interval' %}
 sig-validity-interval
-{{- (' ' + zone.sig_validity_interval.upper | string) }}
-{{- (' ' + zone.sig_validity_interval.lower | string) if zone.sig_validity_interval.lower is defined and zone.sig_validity_interval.lower -}};
-{% endif %}
-{% if zone.server_names is defined and zone.server_names %}
-server-names {
-{{ functions.simple_item_list(zone.server_names) }}};
-{% endif %}
-{% if zone.server_addresses is defined and zone.server_addresses %}
-server-addresses {
-{{ functions.simple_item_list(zone.server_addresses) }}};
-{% endif %}
-{{ functions.parent_address_port_dscp('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
-{% if zone.allow_transfer is defined and zone.allow_transfer is not string %}
+{{- (' ' + value.upper | string) }}
+{{- (' ' + value.lower | string) if value.lower is defined and value.lower -}};
+
+{% elif key in ['server_names', 'server_addresses'] %}
+{{ conf_key }} {
+{{ functions.simple_item_list(value) }}};
+
+{% elif key in ['also_notify', 'primaries', 'parental_agents'] %}
+{{ functions.parent_address_key_tls(conf_key, value) -}}
+
+{% elif key == 'forwarders' %}
+{{ functions.parent_address_port_dscp('forwarders', value) -}}
+
+{% elif key == 'allow_transfer' and value is not string and value is mapping %}
 allow-transfer
-{{- (' port ' + zone.allow_transfer.port | string) if zone.allow_transfer.port is defined and zone.allow_transfer.port -}}
-{{- (' transport ' + zone.allow_transfer.transport) if zone.allow_transfer.transport is defined and zone.allow_transfer.transport }} {
-{{ functions.simple_item_list(zone.allow_transfer.addresses) }}};
+{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
+{{- (' transport ' + value.transport) if value.transport is defined and value.transport }} {
+{{ functions.simple_item_list(value.addresses) }}};
+
+{% elif key in ['transfer_source', 'transfer_source_v6', 'alt_transfer_source', 'alt_transfer_source_v6', 'notify_source', 'notify_source_v6', 'parental_source', 'parental_source_v6'] %}
+{{ conf_key }} {{ value.address -}}
+{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
+{{- (' dscp ' + value.dscp | string) if value.dscp is defined and value.dscp }};
+
+{# --- SIMPLE LISTS --- #}
+{% elif key in ['allow_notify', 'allow_query', 'allow_query_on', 'allow_update', 'allow_update_forwarding'] %}
+{{ conf_key }} {
+{{ functions.simple_item_list(value) }}};
+
+{# --- BOOLEANS --- #}
+{% elif key in ['check_integrity', 'check_sibling', 'check_wildcard', 'delegation_only', 'dnssec_dnskey_kskonly', 'dnssec_secure_to_insecure', 'inline_signing', 'ixfr_from_differences', 'multi_master', 'notify_to_soa', 'request_expire', 'request_ixfr', 'try_tcp_refresh', 'update_check_ksk', 'use_alt_transfer_source', 'zero_no_soa_ttl'] %}
+{{ (functions.boolean_option(conf_key, value)) }}
+
+{# --- BOOLEAN OR STRING --- #}
+{% elif key in ['dialup', 'notify', 'zone_statistics'] %}
+{{ conf_key }} {{ functions.boolean_or_string(value) }};
+
+{# --- QUOTED STRINGS --- #}
+{% elif key in ['file', 'journal', 'key_directory'] %}
+{{ conf_key }} "{{ value }}";
+
+{# --- DEPRECATED --- #}
+{% elif key == 'auto_dnssec' %}
+/* WARN: auto-dnssec is removed in BIND 9.20 */
+{{ conf_key }} {{ value }};
+
+{# --- FALLTHROUGH --- #}
+{% else %}
+{# Strict mode: Ignore unknown keys #}
 {% endif %}
-{# simple_list options #}
-{{ ('allow-notify {\n' + functions.simple_item_list(zone.allow_notify) + '};\n') if zone.allow_notify is defined and zone.allow_notify -}}
-{{ ('allow-query {\n' + functions.simple_item_list(zone.allow_query) + '};\n') if zone.allow_query is defined and zone.allow_query -}}
-{{ ('allow-query-on {\n' + functions.simple_item_list(zone.allow_query_on) + '};\n') if zone.allow_query_on is defined and zone.allow_query_on -}}
-{{ ('allow-update {\n' + functions.simple_item_list(zone.allow_update) + '};\n') if zone.allow_update is defined and zone.allow_update -}}
-{{ ('allow-update-forwarding {\n' + functions.simple_item_list(zone.allow_update_forwarding) + '};\n') if zone.allow_update_forwarding is defined and zone.allow_update_forwarding -}}
-{# ip_port_dscp options#}
-{% if zone.transfer_source is defined and zone.transfer_source is mapping %}
-transfer-source {{ zone.transfer_source.address -}}
-{{- (' port ' + zone.transfer_source.port | string) if zone.transfer_source.port is defined and zone.transfer_source.port -}}
-{{- (' dscp ' + zone.transfer_source.dscp | string) if zone.transfer_source.dscp is defined and zone.transfer_source.dscp }};
-{% endif %}
-{% if zone.transfer_source_v6 is defined and zone.transfer_source_v6 is mapping %}
-transfer-source-v6 {{ zone.transfer_source_v6.address -}}
-{{- (' port ' + zone.transfer_source_v6.port | string) if zone.transfer_source_v6.port is defined and zone.transfer_source_v6.port -}}
-{{- (' dscp ' + zone.transfer_source_v6.dscp | string) if zone.transfer_source_v6.dscp is defined and zone.transfer_source_v6.dscp }};
-{% endif %}
-{% if zone.alt_transfer_source is defined and zone.alt_transfer_source is mapping %}
-alt-transfer-source {{ zone.alt_transfer_source.address -}}
-{{- (' port ' + zone.alt_transfer_source.port | string) if zone.alt_transfer_source.port is defined and zone.alt_transfer_source.port -}}
-{{- (' dscp ' + zone.alt_transfer_source.dscp | string) if zone.alt_transfer_source.dscp is defined and zone.alt_transfer_source.dscp }};
-{% endif %}
-{% if zone.alt_transfer_source_v6 is defined and zone.alt_transfer_source_v6 is mapping %}
-alt-transfer-source-v6 {{ zone.alt_transfer_source_v6.address -}}
-{{- (' port ' + zone.alt_transfer_source_v6.port | string) if zone.alt_transfer_source_v6.port is defined and zone.alt_transfer_source_v6.port -}}
-{{- (' dscp ' + zone.alt_transfer_source_v6.dscp | string) if zone.alt_transfer_source_v6.dscp is defined and zone.alt_transfer_source_v6.dscp }};
-{% endif %}
-{% if zone.notify_source is defined and zone.notify_source is mapping %}
-notify-source {{ zone.notify_source.address -}}
-{{- (' port ' + zone.notify_source.port | string) if zone.notify_source.port is defined and zone.notify_source.port -}}
-{{- (' dscp ' + zone.notify_source.dscp | string) if zone.notify_source.dscp is defined and zone.notify_source.dscp }};
-{% endif %}
-{% if zone.notify_source_v6 is defined and zone.notify_source_v6 is mapping %}
-notify-source-v6 {{ zone.notify_source_v6.address -}}
-{{- (' port ' + zone.notify_source_v6.port | string) if zone.notify_source_v6.port is defined and zone.notify_source_v6.port -}}
-{{- (' dscp ' + zone.notify_source_v6.dscp | string) if zone.notify_source_v6.dscp is defined and zone.notify_source_v6.dscp }};
-{% endif %}
-{% if zone.parental_source is defined and zone.parental_source is mapping %}
-parental-source {{ zone.parental_source.address -}}
-{{- (' port ' + zone.parental_source.port | string) if zone.parental_source.port is defined and zone.parental_source.port -}}
-{{- (' dscp ' + zone.parental_source.dscp | string) if zone.parental_source.dscp is defined and zone.parental_source.dscp }};
-{% endif %}
-{% if zone.parental_source_v6 is defined and zone.parental_source_v6 is mapping %}
-parental-source-v6 {{ zone.parental_source_v6.address -}}
-{{- (' port ' + zone.parental_source_v6.port | string) if zone.parental_source_v6.port is defined and zone.parental_source_v6.port -}}
-{{- (' dscp ' + zone.parental_source_v6.dscp | string) if zone.parental_source_v6.dscp is defined and zone.parental_source_v6.dscp }};
-{% endif %}
-{# integer options #}
-{{ ('dnskey-sig-validity ' + zone.dnskey_sig_validity | string+';\n') if zone.dnskey_sig_validity is defined and zone.dnskey_sig_validity -}}
-{{ ('dnssec-loadkeys-interval ' + zone.dnssec_loadkeys_interval | string+';\n') if zone.dnssec_loadkeys_interval is defined and zone.dnssec_loadkeys_interval -}}
-{{ ('max-records ' + zone.max_records | string+';\n') if zone.max_records is defined and zone.max_records -}}
-{{ ('max-refresh-time ' + zone.max_refresh_time | string+';\n') if zone.max_refresh_time is defined and zone.max_refresh_time -}}
-{{ ('max-retry-time ' + zone.max_retry_time | string+';\n') if zone.max_retry_time is defined and zone.max_retry_time -}}
-{{ ('max-transfer-idle-in ' + zone.max_transfer_idle_in | string+';\n') if zone.max_transfer_idle_in is defined and zone.max_transfer_idle_in -}}
-{{ ('max-transfer-idle-out ' + zone.max_transfer_idle_out | string+';\n') if zone.max_transfer_idle_out is defined and zone.max_transfer_idle_out -}}
-{{ ('max-transfer-time-in ' + zone.max_transfer_time_in | string+';\n') if zone.max_transfer_time_in is defined and zone.max_transfer_time_in -}}
-{{ ('max-transfer-time-out ' + zone.max_transfer_time_out | string+';\n') if zone.max_transfer_time_out is defined and zone.max_transfer_time_out -}}
-{{ ('min-refresh-time ' + zone.min_refresh_time | string+';\n') if zone.min_refresh_time is defined and zone.min_refresh_time -}}
-{{ ('min-retry-time ' + zone.min_retry_time | string+';\n') if zone.min_retry_time is defined and zone.min_retry_time -}}
-{{ ('notify-delay ' + zone.notify_delay | string+';\n') if zone.notify_delay is defined and zone.notify_delay -}}
-{{ ('sig-signing-nodes ' + zone.sig_signing_nodes | string+';\n') if zone.sig_signing_nodes is defined and zone.sig_signing_nodes -}}
-{{ ('sig-signing-signatures ' + zone.sig_signing_signatures | string+';\n') if zone.sig_signing_signatures is defined and zone.sig_signing_signatures -}}
-{{ ('sig-signing-type ' + zone.sig_signing_type | string+';\n') if zone.sig_signing_type is defined and zone.sig_signing_type -}}
-{# boolean options #}
-{{ (functions.boolean_option('check-integrity', zone.check_integrity) + '\n') if zone.check_integrity is defined -}}
-{{ (functions.boolean_option('check-sibling', zone.check_sibling) + '\n') if zone.check_sibling is defined -}}
-{{ (functions.boolean_option('check-wildcard', zone.check_wildcard) + '\n') if zone.check_wildcard is defined -}}
-{{ (functions.boolean_option('delegation-only', zone.delegation_only) + '\n') if zone.delegation_only is defined -}}
-{{ (functions.boolean_option('dnssec-dnskey-kskonly', zone.dnssec_dnskey_kskonly) + '\n') if zone.dnssec_dnskey_kskonly is defined -}}
-{{ (functions.boolean_option('dnssec-secure-to-insecure', zone.dnssec_secure_to_insecure) + '\n') if zone.dnssec_secure_to_insecure is defined -}}
-{{ (functions.boolean_option('inline-signing', zone.inline_signing) + '\n') if zone.inline_signing is defined -}}
-{{ (functions.boolean_option('ixfr-from-differences', zone.ixfr_from_differences) + '\n') if zone.ixfr_from_differences is defined -}}
-{{ (functions.boolean_option('multi-master', zone.multi_master) + '\n') if zone.multi_master is defined -}}
-{{ (functions.boolean_option('notify-to-soa', zone.notify_to_soa) + '\n') if zone.notify_to_soa is defined -}}
-{{ (functions.boolean_option('request-expire', zone.request_expire) + '\n') if zone.request_expire is defined -}}
-{{ (functions.boolean_option('request-ixfr', zone.request_ixfr) + '\n') if zone.request_ixfr is defined -}}
-{{ (functions.boolean_option('try-tcp-refresh', zone.try_tcp_refresh) + '\n') if zone.try_tcp_refresh is defined -}}
-{{ (functions.boolean_option('update-check-ksk', zone.update_check_ksk) + '\n') if zone.update_check_ksk is defined -}}
-{{ (functions.boolean_option('use-alt-transfer-source', zone.use_alt_transfer_source) + '\n') if zone.use_alt_transfer_source is defined -}}
-{{ (functions.boolean_option('zero-no-soa-ttl', zone.zero_no_soa_ttl) + '\n') if zone.zero_no_soa_ttl is defined -}}
-{# multiple_choice options #}
-{{ ('auto-dnssec ' + zone.auto_dnssec | string+';\n') if zone.auto_dnssec is defined and zone.auto_dnssec -}}
-{{ ('check-dup-records ' + zone.check_dup_records | string+';\n') if zone.check_dup_records is defined and zone.check_dup_records -}}
-{{ ('check-mx-cname ' + zone.check_mx_cname | string+';\n') if zone.check_mx_cname is defined and zone.check_mx_cname -}}
-{{ ('check-mx ' + zone.check_mx | string+';\n') if zone.check_mx is defined and zone.check_mx -}}
-{{ ('check-names ' + zone.check_names | string+';\n') if zone.check_names is defined and zone.check_names -}}
-{{ ('check-spf ' + zone.check_spf | string+';\n') if zone.check_spf is defined and zone.check_spf -}}
-{{ ('check-srv-cname ' + zone.check_srv_cname | string+';\n') if zone.check_srv_cname is defined and zone.check_srv_cname -}}
-{{ ('dnssec-update-mode ' + zone.dnssec_update_mode | string+';\n') if zone.dnssec_update_mode is defined and zone.dnssec_update_mode -}}
-{{ ('masterfile-format ' + zone.masterfile_format | string+';\n') if zone.masterfile_format is defined and zone.masterfile_format -}}
-{{ ('masterfile-style ' + zone.masterfile_style | string+';\n') if zone.masterfile_style is defined and zone.masterfile_style -}}
-{{ ('max-ixfr-ratio ' + zone.max_ixfr_ratio | string+';\n') if zone.max_ixfr_ratio is defined and zone.max_ixfr_ratio -}}
-{{ ('max-journal-size ' + zone.max_journal_size | string+';\n') if zone.max_journal_size is defined and zone.max_journal_size -}}
-{{ ('max-zone-ttl ' + zone.max_zone_ttl | string+';\n') if zone.max_zone_ttl is defined and zone.max_zone_ttl -}}
-{{ ('serial-update-method ' + zone.serial_update_method | string+';\n') if zone.serial_update_method is defined and zone.serial_update_method -}}
-{# string options #}
-{{ ('database ' + zone.database | string+';\n') if zone.database is defined and zone.database -}}
-{{ ('dlz ' + zone.dlz | string+';\n') if zone.dlz is defined and zone.dlz -}}
-{{ ('dnssec-policy ' + zone.dnssec_policy | string+';\n') if zone.dnssec_policy is defined and zone.dnssec_policy -}}
-{{ ('in-view ' + zone.in_view | string+';\n') if zone.in_view is defined and zone.in_view -}}
-{% endfilter %}
-};
 
 {% endfor %}
-{% endmacro %}
+{% endfilter %}
+};
+{% endfor %}