docs: Update author and company contact information

- Update forwarders template with enhanced functionality
- Add molecule test cases for forwarders validation
- Update options and zone templates for compatibility

.gitlab-ci.yml

@@ -0,0 +1,22 @@
+---
+image: docker:stable-dind
+
+services:
+  - docker:dind
+
+before_script:
+  - apk add --no-cache
+    python3 python3-dev py3-pip gcc git curl build-base
+    autoconf automake py3-cryptography linux-headers
+    musl-dev libffi-dev openssl-dev openssh
+  - docker info
+  - python3 --version
+  - python3 -m pip install ansible molecule[docker]
+    ansible-lint
+  - ansible --version
+  - molecule --version
+
+molecule:
+  stage: test
+  script:
+    - molecule test

.travis.yml

@@ -1,35 +0,0 @@
----
-language: python
-python: "2.7"
-
-# Use the new container infrastructure
-sudo: required
-
-# Install ansible
-addons:
-  apt:
-    packages:
-    - python-pip
-
-install:
-  # Install ansible
-  - pip install ansible
-
-  # Check ansible version
-  - ansible --version
-
-  # Create ansible.cfg with correct roles_path
-  - printf '[defaults]\nroles_path=../' >ansible.cfg
-
-script:
-  # Basic role syntax check
-  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
-
-#notifications:
-#  webhooks: https://galaxy.ansible.com/api/v1/notifications/
-
-env:
-- distribution: debian
-  version: bullseye
-- distribution: ubuntu
-  version: jammy

README.md

@@ -13,7 +13,6 @@ What the role does not do:
 - Maintain every aspect of bind (rndc config, etc)
 - Auto-generate and manage your secrets 
 
-
 Bugs
 ----
 Or, as I call them "happy accidents".
@@ -24,6 +23,18 @@ Or, as I call them "happy accidents".
 Role Variables
 --------------
 
+General configuration
+=====================
+Review the [defaults](defaults/main.yml) for a full set of configurable parameters. Here are the most interesting ones:
+
+`bind9_backup_config: [true, false]`: Backup each named.conf.* file or not. Default is 'true'. This setting is useful for testing out configuration changes but can clutter up the destination directory quite a bit if used across many updates.
+
+`bind9_debug_config: [true, false]`: Print the resulting YAML configuration tree that was sent to the configuration template. Default is 'false'. Useful for comparing with the resulting named.conf files and comparing values.
+
+`bind9_config_indent: [integer]`: Indentation level for the configuration template. Default is '4'. Set this value to suit your style. Tabs are not supported.
+
+named.conf
+==========
 bind configuration is set through the various bind9_*_config parameters. These are, in order of precedence:
 1. bind9_default_config
 2. bind9_group_config
@@ -62,6 +73,7 @@ bind9_config:
   - name: named.conf.options
     options:
       recursion: false
+      notify: primary-only
   - name: named.conf.local
     zone:
       - name: "."
@@ -71,19 +83,112 @@ bind9_config:
 
 The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_leaf_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_leaf_config`.
 
+Configuration Grammar
+---------------------
+The bind9 role tries to replicate the official ISC bind9 configuration format as close as possible,
+only re-implementing them in YAML format. This means that for the most part,
+section names are the same as in named.conf but kebab-case ('var-name') is replaced with snake_case ('var_name')
+If you are missing some statements in your resulting config, it is most likely because of this.
+
+The main configuration variable used are a series of bind_*_config variables (See [Role Variables]) that have the following syntax
+
+Every config starts by defining the file name. Each file can contain any amount of top-level statements,
+as permitted by named.conf 
+
+```
+bind9_host_config:
+  - name: FILENAME # The filename of your desired config file.
+                   # You also need to specify a corresponding `include:` for the file
+    SECTION_NAME: # The section name of the bind config you want to define.
+                  # Can be 'acl', 'options', 'zone', etc.
+                  # See: https://bind9.readthedocs.io/en/v9_18_4/reference.html#configuration-file-grammar
+    SECTION_2_NAME: # Every file can have as many sections as needed. Generally, try to keep 
+                    # all definitions and references together in a file.
+```
+
+Any option that can be defined multiple times in a named.conf, must be defined as a list
+```
+bind9_host_config:
+  - name: named.conf.local
+    acl:
+      - name: ELEMENT_NAME
+        addresses: 
+          - 127.0.0.1
+          - 127.0.0.2
+      - name: ELEMENT_2_NAME
+        addresses:
+          - 127.0.0.3
+```
+
+Simple options are defined just as that.
+```
+      SIMPLE_OPTION: string, boolean or integer value
+```
+
+Some options have several optional parameters. For those, a somewhat flexible 
+configuration format has been created
+```
+      IP_PORT_DSCP_OPTION: # Any option that is defined as one of:
+      #  <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ dscp <dscp> ]; ... }
+      #  <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ key <key> ] [ tls <tls> ]; ... }
+      # has a few optional syntaxes 
+      # Example 1: Simple address list
+        - ADDRESS1
+        - ADDRESS2
+      # Example 2: To define source port/dscp, use 'addresses' sub-element
+        [ port: PORT ]
+        [ dscp: DSCP ]
+        addresses:
+          - ADDRESS1
+          - ADDRESS2
+          - 127.0.0.1
+      # Example 3: To define target port/dscp, use 'addresses' as a list of dicts
+        addresses:
+          - address: ADDRESS
+            [ port: PORT ]
+            [ dscp: DSCP ]
+          - address: 127.0.0.1
+            port: 53
+          - address: 127.0.0.1
+            dscp: 42
+          - address: 127.0.0.1
+            port: 5353
+            dscp: 42
+      # Example 4: The various formats can be mixed and matched within the main element
+        - ADDRESS1
+        - address: ADDRESS2
+          port: PORT
+```
+
+
 Dependencies
 ------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+No dependencies
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Simple sample config of a recursive BIND server that allows your localnetwork to resolve addresses via 
 
     - hosts: servers
       roles:
-         - { role: username.rolename, x: 42 }
+         - bind9
+      vars:
+        bind9_host_config:
+          - name: named.conf.local
+            acl:
+              - name: mylan
+                addresses:
+                  - 10.0.0.0/8
+          - name: named.conf.options
+            options:
+              forwarders:
+                - 1.1.1.1
+              allow-query:
+                - mylan
+              allow-recursion:
+                - mylan
 
 License
 -------
@@ -93,452 +198,5 @@ BSD
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
-
-```
-    options:
-      forwarders:
-        - 1.1.1.1
-        - 1.0.0.1
-      fetches_per_server: 200 fail
-      prefetch: 4 10
-      version: none
-      hostname: l33t.h4x0r
-      avoid_v4_udp_ports:
-        - "range 5132 5232"
-        - "range 1337 31337"
-      servfail_ttl: 0
-      allow_notify:
-        - 10.0.0.0/8
-      allow_query:
-        - "!10.0.2.1"
-        - 0/0
-      blackhole:
-        - 192.168.0.0/16
-      allow_recursion: []
-      empty_server: "empty.server.string"
-      dns64_server: "server.name"
-      dns64_contact: "dak.keepit.com"
-      directory: "{{ bind9_cachedir }}"
-      key_directory: "{{ bind9_cachedir }}/keys"
-      statistics_file: "{{ bind9_cachedir }}/named.stats"
-      rrset_order:
-        - type: A
-          name: foo.isc.org
-          order: random
-        - type: AAAA
-          name: foo.isc.org
-          order: cyclic
-        - name: bar.isc.org
-          order: random
-        - name: "*.bar.isc.org"
-          order: random
-        - name: "*.baz.isc.org"
-          order: cyclic
-      response_policy:
-        zones:
-          - zone: smorg.bop
-            max_policy_ttl: 30S
-            min_update_interval: 30S
-            policy: disabled
-            add_soa: true
-            log: true
-            recursive_only: false
-            nsip_enable: true
-            nsdname_enable: true
-        max_policy_ttl: 30S
-        min_update_interval: 30S
-        min_ns_dots: 2
-        add_soa: false
-        break_dnssec: false
-        nsip_wait_recurse: true
-        nsdname_wait_recurse: true
-        qname_wait_recurse: true
-        recursive_only: true
-        nsip_enable: true
-        nsdname_enable: true
-        dnsrps_enable: false
-        dnsrps_options:
-          - simple
-          - item
-          - list
-      response_padding:
-        block_size: 4096
-        addresses:
-          - 0/0
-      rate_limit:
-        all_per_second: 0
-        errors_per_second: 0
-        responses_per_second: 0
-        referrals_per_second: 0
-        nodata_per_second: 0
-        nxdomains_per_second: 0
-        ipv4_prefix_length: 24
-        ipv6_prefix_length: 54
-        max_table_size: 20000
-        min_table_size: 500
-        qps_scale: 250
-        slip: 2
-        window: 15
-        log_only: true
-        exempt_clients:
-          - 192.168.0.1
-          - 10.20.30.40
-      query_source_v6:
-        address: "*"
-        port: "*"
-        dscp: 42
-      parental_source_v6:
-        address: "*"
-        port: "*"
-        dscp: 42
-      notify_source_v6:
-        address: "*"
-      notify_source:
-        address: "*"
-      listen_on:
-        - port: 53
-          addresses:
-            - 0.0.0.0
-        - port: 5353
-          dscp: 42
-          addresses:
-            - 0.0.0.0
-            - 127.0.0.1
-      listen_on_v6:
-        - port: 5353
-          dscp: 42
-          addresses:
-            - "::"
-            - "de:ad::be:ef"
-      dialup: false
-      minimal_responses: true
-      zone_statistics: full
-      ixfr_from_differences: master
-      dual_stack_servers:
-        port: 4492
-        addresses:
-          - address: hostname.com
-            port: 4421
-            dscp: 42
-          - address: 10.128.128.182
-          - address: de:ad::be:ef
-      dnstap:
-        - type: auth
-        - type: client
-          log: response
-        - type: resolver
-          log: query
-      dnstap_output:
-        output_type: file
-        output_file: /tmp/dnstap
-        size: 10M
-        versions: 200
-        suffix: increment
-  - name: named.conf.local
-    acl:
-      localstuff:
-        - 10.0.0.0/8
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-      external:
-        - 185.181.220.77
-        - "!0.0.0.0/0"
-    controls:
-      - type: inet
-        address: 127.0.0.1
-        port: 533
-        allow:
-          - 127.0.0.0/8
-          - "!127.13.37.1"
-        readonly: false
-      - type: inet
-        address: 10.20.30.40
-        allow:
-          - 100.0.0.0/8
-    view:
-      - name: recursive-view
-        match_clients:
-          - localstuff
-        match_destinations:
-          - remote
-        match-recursive-only: true
-        options:
-          transfer_source:
-            address: 0.0.0.0
-            port: '*'
-            dscp: 42
-          allow_recursion:
-            - localstuff
-        zones:
-          - name: google.com
-            type: forward
-            forward: only
-            forwarders:
-              - 1.1.1.1
-              - 1.0.0.1
-    dnssec_policy:
-      - name: mypolicy
-        keylist:
-          - role: ksk
-            key_directory: true
-            lifetime: unlimited
-            algorithm: rsasha256
-            keysize: 2048
-          - role: zsk
-            lifetime: P30D
-            algorithm: 8
-          - role: csk
-            lifetime: P6MT12H3M15S
-            algorithm: ecdsa256
-        max_zone_ttl: P4D
-        parent_ds_ttl: P14D
-        nsec3param:
-          iterations: '0'
-          optout: false
-          salt_length: '0'
-    dyndb:
-      - name: sample
-        driver: example.so
-        parameters:
-          - example.nil. arpa.
-          - example2.nil. arpa.
-    http:
-      - name: dohconf
-        endpoints:
-          - /dns-query
-          - /dns
-          - /query
-        listener_clients: 4
-        streams_per_connection: 1024
-    keylist:
-      - name: certbot.
-        algorithm: hmac-sha512
-        secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA=="
-      - name: certbot2.
-        algorithm: hmac-sha512
-        secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA=="
-    logging:
-      categories:
-        - name: default
-          channels:
-            - default_syslog
-            - default_debug
-            - tv2
-            - dr1
-        - name: unmatched
-          channels:
-            - tv3
-      channels:
-        - name: tv2
-          buffered: true
-          file:
-            name: /var/log/named.log
-            versions: 7
-            size: 20m
-            suffix: increment
-          print_category: false
-          print_severity: false
-          print_time: iso8601-utc
-          severity: info
-        - name: tv3
-          'null': true
-        - name: dr1
-          syslog: daemon
-        - name: kanalkobenhavn
-          stderr: true
-          severity: debug 3
-    parental_agents:
-      - name: parents
-        port: 53353
-        dscp: 42
-        addresses:
-          - address: 10.20.30.40
-            port: 53
-            key: certbot.
-          - address: 20.30.40.50
-            port: 53
-          - address: 30.40.50.60
-            key: certbot2.
-          - address: 40.50.60.70
-      - name: notparents
-        addresses:
-          - address: 10.20.30.40
-          - address: 30.40.50.60
-          - address: 40.50.60.70
-    primaries:
-      - name: parents
-        port: 53353
-        dscp: 42
-        addresses:
-          - address: 10.20.30.40
-            port: 53
-            key: certbot.
-          - address: 20.30.40.50
-            port: 53
-          - address: 30.40.50.60
-            key: certbot2.
-          - address: 40.50.60.70
-      - name: notparents
-        addresses:
-          - address: 10.20.30.40
-          - address: 30.40.50.60
-          - address: 40.50.60.70
-    tls:
-      - name: certbot
-        cert_file: /etc/ssl/private/snakeoil.pem
-        key_file: /etc/ssl/private/snakeoil.key
-        dhparam_file: /etc/ssl/dhparam.pem
-        ca_file: /etc/ssl/certs/ca-certificates.crt
-        remote_hostname: yourhostname
-        ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384
-        protocols:
-          - TLSv1.2
-          - TLSv1.3
-        prefer_server_ciphers: true
-        session_tickets: true
-    trust_anchors:
-      - name: .
-        type: initial-key
-        flags: 257
-        protocol: 3
-        algorithm: 8
-        key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="
-      - name: hugs.dk
-        type: static-ds
-        flags: 64335
-        protocol: 7
-        algorithm: 2
-        key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372"
-    server:
-      - prefix: 1.1.1.1
-        bogus: false
-        edns: true
-        tcp_only: false
-        tcp_keepalive: false
-        edns_version: '0'
-        padding: '0'
-        transfers: '0'
-        keyname: certbot.
-        query_source:
-          address: "*"
-          port: "*"
-    statistics_channels:
-      - address: 0.0.0.0
-        port: 8080
-        allow:
-          - 0/0
-  - name: named.conf.zones
-    backup: false
-    zones:
-      - name: "_acme-challenge.hugs.dk"
-        type: master
-        file: master/_acme-challenge.hugs.dk.zone
-        allow_query:
-          - any
-        dnssec_policy: default
-        inline_signing: true
-        serial_update_method: date
-        update_policy:
-          - permission: grant
-            identity: certbot.
-            ruletype: name
-            name: _acme-challenge.hugs.dk
-            types: txt
-      - name: forward.net
-        type: forward
-        forwarders:
-          port: 53
-          addresses:
-            - address: 1.1.1.1
-              port: 53
-              dscp: 42
-            - address: 4.2.2.4
-              port: 53
-      - name: stub.com
-        type: static-stub
-        allow_query:
-          - any
-        server_addresses:
-          - 1.1.1.1
-          - 8.8.8.8
-        zone_statistics: full
-      - name: example.com
-        type: slave
-        allow_query:
-          - 127.0.0.1
-          - 10.0.0.1
-          - 128.15.14.13
-        allow_query_on:
-          - 127.0.0.1
-        primaries:
-          port: 5522
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 55222
-            - address: 10.20.30.40
-      - name: smorg.bop
-        type: slave
-        primaries:
-          addresses:
-            - address: 127.0.0.1
-        allow_query:
-          - 15.14.13.12
-          - 10.20.30.40
-          - 28.25.23.24
-          - "!10.13.14.15"
-        forwarders:
-          port: 53
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 53
-              dscp: 42
-            - address: 10.20.30.40
-              port: 53
-            - address: 20.30.40.50
-            - address: 30.40.50.60
-              port: 53
-        allow_transfer:
-          port: 5522
-          transport: tls
-          addresses:
-            - 192.168.122.1
-        also_notify:
-          port: 5523
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 5523
-            - address: 127.0.0.2
-        auto-dnssec: allow
-        dnskey_sig_validity: 0
-        dnssec-dnskey-kskonly: true
-        dnssec_loadkeys_interval: 0
-        file: "string"
-        forward: first
-        inline_signing: true
-        ixfr_from_differences: true
-        masterfile_format: raw
-        masterfile_style: full
-        max_ixfr_ratio: unlimited
-        max_journal_size: default
-        max_records: 0
-        max_transfer_idle_out: 0
-        max_transfer_time_out: 0
-        notify: true
-        notify_delay: '0'
-        notify_to_soa: false
-        parental_agents:
-          port: 44332
-          dscp: 42
-          addresses:
-            - address: 127.0.0.1
-              port: 53
-        sig_signing_nodes: '0'
-        sig_signing_signatures: '0'
-        sig_signing_type: 65281
-        zero_no_soa_ttl: true
-        zone_statistics: full
-```
+Daniel Akulenok <daniel@valid.dk>
+Valid.dk

defaults/main.yml

@@ -11,6 +11,7 @@ bind9_backup_dir: /data/backup/bind
 
 bind9_backup_config: true
 bind9_debug_config: false
+bind9_config_indent: 4
 
 bind9_group_config: []
 bind9_leaf_config: []
@@ -27,4 +28,10 @@ bind9_default_config:
     options:
       directory: "{{ bind9_working_directory }}"
 
-bind9_config: "{{ [bind9_default_config, bind9_group_config, bind9_leaf_config, bind9_host_config] | community.general.lists_mergeby('name', recursive=true, list_merge='append_rp') }}"
+bind9_config: "{{ [bind9_default_config,
+  bind9_group_config,
+  bind9_leaf_config,
+  bind9_host_config] |
+  community.general.lists_mergeby('name',
+    recursive=true,
+    list_merge='append_rp') }}"

handlers/main.yml

@@ -1,22 +1,24 @@
 ---
 # handlers file for bind9
-- name: reload bind
+- name: Reload bind
   ansible.builtin.service:
     name: named
     state: reloaded
 
-- name: restart bind
+- name: Restart bind
   ansible.builtin.service:
     name: named
     state: restarted
 
-- name: backup bind config
+- name: Backup bind config
   community.general.archive:
     path:
       - "{{ bind9_cfgdir }}"
       - "{{ bind9_working_directory }}"
       - "{{ bind9_libdir }}"
-    dest: "{{ bind9_backup_dir }}/bind9-config-{{ ansible_date_time.iso8601_basic_short }}.tar.gz"
+    dest: "{{
+      bind9_backup_dir + '/bind9-config-' +
+      ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
     owner: root
     group: root
     mode: 0640

meta/main.yml

@@ -1,52 +1,32 @@
+---
 galaxy_info:
+  role_name: bind9
+  namespace: valid
+
   author: Daniel Akulenok
   description: Configure Bind9
   company: Valid.dk
 
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
+  issue_tracker_url: https://gitlab.valid.dk/operations/ansible-bind9-role
 
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
-  license: GPL-2.0-or-later
+  license: GPL-3.0-or-later
 
-  min_ansible_version: 2.1
+  min_ansible_version: "2.13"
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+        - focal
+    - name: Debian
+      versions:
+        - bullseye
 
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
-
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+  galaxy_tags:
+    - bind9
+    - bind
+    - dns
+    - ubuntu
+    - debian
 
 dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.

molecule/default/collections.yml

@@ -0,0 +1,7 @@
+---
+collections:
+  - name: ansible.utils
+  - name: ansible.posix
+  - name: community.crypto
+  - name: community.general
+

molecule/default/converge.yml

@@ -0,0 +1,31 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    bind9_group_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          forwarders:
+            port: 853
+            tls: common-upstream
+            addresses:
+              - address: 192.0.2.10
+                port: 5353
+                tls: leaf-a
+              - address:
+                  - 2001:db8::10
+                  - 198.51.100.10
+                tls: dual-stack
+              - 203.0.113.10
+        tls:
+          - name: common-upstream
+            remote_hostname: upstream.example
+          - name: leaf-a
+            remote_hostname: leaf-a.example
+          - name: dual-stack
+            remote_hostname: dual-stack.example
+  tasks:
+    - name: Include bind9 role
+      ansible.builtin.include_role:
+        name: ../../../ansible-bind9-role

molecule/default/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: podman
+platforms:
+  - name: debian-trixie
+    image: docker.io/jrei/systemd-debian:13
+    command: /lib/systemd/systemd
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      ALLOW_BROKEN_CONDITIONALS: true
+verifier:
+  name: ansible

molecule/default/prepare.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  tasks:
+    - name: Update apt
+      ansible.builtin.apt:
+        update_cache: true

molecule/default/verify.yml

@@ -0,0 +1,21 @@
+---
+- name: Verify forwarders configuration
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Read named.conf.options
+      ansible.builtin.slurp:
+        src: /etc/bind/named.conf.options
+      register: forwarders_file
+
+    - name: Assert forwarders render with port and tls
+      ansible.builtin.assert:
+        that:
+          - forwarders_content is search('forwarders port 853 tls common-upstream \{')
+          - forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
+          - forwarders_content is search('2001:db8::10 tls dual-stack;')
+          - forwarders_content is search('198.51.100.10 tls dual-stack;')
+          - forwarders_content is search('203.0.113.10;')
+        fail_msg: "Forwarders block missing expected port/tls entries"
+      vars:
+        forwarders_content: "{{ forwarders_file.content | b64decode }}"

tasks/main.yml

@@ -4,6 +4,7 @@
   ansible.builtin.apt:
     name: "{{ bind9_packages }}"
     state: present
+    cache_valid_time: 3600
   tags:
     - bind9
     - packages
@@ -17,12 +18,13 @@
     mode: 0750
   when: bind9_backup_config is defined and bind9_backup_config
 
-- name: named.conf.generator
+- name: Template named.conf.generator
   ansible.builtin.template:
     src: named.conf.generator.j2
     dest: "{{ bind9_cfgdir }}/{{ item.name }}"
     owner: root
     group: bind
+    mode: 0640
     backup: "{{ item.backup | default('false') | bool }}"
   # validate: 'named-checkconf -z -j %s'
   loop: "{{ bind9_config }}"
@@ -32,8 +34,8 @@
     - bind9
     - template
   notify:
-    - backup bind config
-    - restart bind
+    - Backup bind config
+    - Restart bind
 
 - name: Ensure the named service is started
   ansible.builtin.service:

templates/named.conf.acl.j2

@@ -1,7 +1,7 @@
 {# ACL Macro. Very easy statement. It's just a list of address match elements. #}
-{% macro acl(acls) %}
-{% for acl in acls %}
+{% for acl in item.acl %}
+
 acl {{ acl.name }} {
 {{ functions.simple_item_list(acl.addresses) -}}
 };
-{% endfor %}{% endmacro %}
+{% endfor %}

templates/named.conf.controls.j2

@@ -1,7 +1,7 @@
-{% macro controls(controls) %}
+
 controls {
-{% filter indent(2, true) %}
-{% for control in controls %}
+{% filter indent(bind9_config_indent, true) %}
+{% for control in item.controls %}
 {% if control.type == "inet" %}
 {{ ('inet ' + control.address) -}}
 {{ (' port ' + control.port | string) if control.port is defined and control.port -}}
@@ -16,4 +16,3 @@ controls {
 {{ (' read-only ' + control.read_only | string) if control.read_only is defined -}};
 {% endfor %}};
 {% endfilter %}
-{% endmacro %}

templates/named.conf.dlz.j2

@@ -1,10 +1,9 @@
-{% macro dlz(dlzs) %}
-{% for dlz in dlzs if dlzs is iterable %}
+{% for dlz in item.dlz if item.dlz is iterable %}
+
 dlz "{{ dlz.name }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('database "' + simple_item_list(dlz.database) + '";') }}
 {{ functions.boolean_option('search', dlz.search) }}
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dnssec-policy.j2

@@ -1,10 +1,10 @@
-{% macro dnssec_policy(policies) %}
-{% for policy in policies if policies is iterable %}
+{% for policy in item.dnssec_policy if item.dnssec_policy is iterable %}
+
 dnssec-policy "{{ policy.name }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if policy.keys is defined and policy.keys %}
 keys {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% for dnskey in policy.keylist if policy.keylist is iterable %}
 {{ dnskey.role -}}
 {{ (' key-directory') if dnskey.key_directory is defined and dnskey.key_directory -}}
@@ -36,4 +36,3 @@ nsec3param
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dyndb.j2

@@ -1,8 +1,7 @@
-{% macro dyndb(dyndbs) %}
-{% for dyndb in dyndbs if dyndbs is iterable %}
+{% for dyndb in item.dyndb if item.dyndb is iterable %}
+
 dyndb {{ dyndb.name }} "{{ dyndb.driver }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ functions.simple_item_list(dyndb.parameters) -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.functions.j2

@@ -1,20 +1,27 @@
-{% macro simple_item_list(item_list, indent=2) %}
+{% macro simple_item_list(item_list, indent=bind9_config_indent) %}
 {# This macro is for use in simple address lists #}
 {% filter indent(indent, true) %}
 {{ item_list | join(';\n') }};
 {% endfilter %}
 {% endmacro %}
 
-{% macro list_address_port_key_tls(dict, indent=2) %}
+{% macro list_address_port_key_tls(dict, indent=bind9_config_indent) %}
 {% filter indent(indent, true) %}
 {% for item in dict %}
 {% if item is not mapping %}
 {{ item -}};
-{% else %}
+{% elif item.address is string %}
 {{ item.address -}}
 {{- (' port ' + item.port | string) if item.port is defined -}}
 {{- (' key ' + item.key | string) if item.key is defined -}}
 {{- (' tls ' + item.tls | string) if item.tls is defined -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined -}}
+{{- (' key ' + item.key | string) if item.key is defined -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined -}};
+{% endfor %}
 {% endif %}
 {% endfor %}
 {% endfilter %}
@@ -35,7 +42,47 @@
 {% endif %}
 {% endmacro %}
 
-{% macro list_address_port_dscp(dict, indent=2) %}
+{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
+{# This macro is for use for statements with grammar like #}
+{#  address port 00 tls string; address port 00 tls string; #}
+{# it is usually called by a parent macro #}
+{% filter indent(indent, true) %}
+{% for item in dict %}
+{% if item is not mapping %}
+{{ item }};
+{% elif item.address is string %}
+{{ item.address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfilter %}
+{% endmacro %}
+
+{% macro parent_address_port_tls(name, dict) %}
+{# This macro is for statements with grammar like #}
+{# statement port 00 tls string { address port 00 tls string; address port 00 tls string; } #}
+{# the list inside the statement is handled by list_address_port_tls #}
+{% if dict is not mapping and dict is iterable %}
+{{ name }} {
+{{ list_address_port_tls(dict) -}}
+};
+{% else %}
+{{ name }}
+{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
+{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
+{{ list_address_port_tls(dict.addresses) -}}
+};
+{% endif %}
+{% endmacro %}
+
+{% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
 {# This macro is for use for statements with grammar like #}
 {#  address port 00 dscp 00; address port 00 dscp 00; #}
 {# it is usually called by a parent macro #}
@@ -58,12 +105,14 @@
 {# the list inside the statement is handled by list_address_port #}
 {% if dict is not mapping and dict is iterable %}
 {{ name }} {
-{{ list_address_port_dscp(dict) }}};
+{{ list_address_port_dscp(dict) }}
+};
 {% else %}
 {{ name }}
 {{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
 {{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
-{{ list_address_port_dscp(dict.addresses) }}};
+{{ list_address_port_dscp(dict.addresses) }}
+};
 {% endif %}
 {% endmacro %}
 

templates/named.conf.generator.j2

@@ -1,79 +1,56 @@
-{% import 'named.conf.functions.j2' as functions %}
+{% import 'named.conf.functions.j2' as functions with context %}
 {{ ansible_managed | comment }}
 {% if item.options is defined and item.options %}
-{% from 'named.conf.options.j2' import options with context %}
-options {
-{% filter indent(2,true)%}
-{{ options(item.options) -}}
-{% endfilter %}
-};
-
+{% include 'named.conf.options.j2' %}
 {% endif %}
 {% if item.acl is defined and item.acl %}
-{% from 'named.conf.acl.j2' import acl with context %}
-{{ acl(item.acl) }}
-{% endif %}
-{% if item.zones is defined and item.zones %}
-{% from 'named.conf.zone.j2' import zones with context %}
-{{ zones(item.zones) }}
-{% endif %}
-{% if item.controls is defined and item.controls %}
-{% from 'named.conf.controls.j2' import controls with context %}
-{{ controls(item.controls) }}
-{% endif %}
-{% if item.include is defined and item.include %}
-{% from 'named.conf.include.j2' import include with context %}
-{{ include(item.include) }}
-{% endif %}
-{% if item.dlz is defined and item.dlz %}
-{% from 'named.conf.dlz.j2' import dlz with context %}
-{{ dlz(item.dlz) }}
-{% endif %}
-{% if item.dnssec_policy is defined and item.dnssec_policy %}
-{% from 'named.conf.dnssec-policy.j2' import dnssec_policy with context %}
-{{ dnssec_policy(item.dnssec_policy) }}
-{% endif %}
-{% if item.dyndb is defined and item.dyndb %}
-{% from 'named.conf.dyndb.j2' import dyndb with context %}
-{{ dyndb(item.dyndb) }}
-{% endif %}
-{% if item.http is defined and item.http %}
-{% from 'named.conf.http.j2' import http with context %}
-{{ http(item.http) }}
-{% endif %}
-{% if item.keylist is defined and item.keylist %}
-{% from 'named.conf.key.j2' import keylist with context %}
-{{ keylist(item.keylist) }}
-{% endif %}
-{% if item.logging is defined and item.logging %}
-{% from 'named.conf.logging.j2' import logging with context %}
-{{ logging(item.logging) }}
-{% endif %}
-{% if item.parental_agents is defined and item.parental_agents %}
-{% from 'named.conf.parental-agents.j2' import parental_agents with context %}
-{{ parental_agents(item.parental_agents) }}
+{% include 'named.conf.acl.j2' %}
 {% endif %}
 {% if item.primaries is defined and item.primaries %}
-{% from 'named.conf.primaries.j2' import primaries with context %}
-{{ primaries(item.primaries) }}
+{% include 'named.conf.primaries.j2' %}
+{% endif %}
+{% if item.controls is defined and item.controls %}
+{% include 'named.conf.controls.j2' %}
+{% endif %}
+{% if item.include is defined and item.include %}
+{% include 'named.conf.include.j2' %}
+{% endif %}
+{% if item.dlz is defined and item.dlz %}
+{% include 'named.conf.dlz.j2' %}
+{% endif %}
+{% if item.dnssec_policy is defined and item.dnssec_policy %}
+{% include 'named.conf.dnssec-policy.j2' %}
+{% endif %}
+{% if item.dyndb is defined and item.dyndb %}
+{% include 'named.conf.dyndb.j2' %}
+{% endif %}
+{% if item.http is defined and item.http %}
+{% include 'named.conf.http.j2' %}
+{% endif %}
+{% if item.keylist is defined and item.keylist %}
+{% include 'named.conf.key.j2' %}
+{% endif %}
+{% if item.logging is defined and item.logging %}
+{% include 'named.conf.logging.j2' %}
+{% endif %}
+{% if item.parental_agents is defined and item.parental_agents %}
+{% include 'named.conf.parental-agents.j2' %}
 {% endif %}
 {% if item.server is defined and item.server %}
-{% from 'named.conf.server.j2' import server with context %}
-{{ server(item.server) }}
+{% include  'named.conf.server.j2' %}
 {% endif %}
 {% if item.statistics_channels is defined and item.statistics_channels %}
-{% from 'named.conf.statistics-channels.j2' import statistics_channels with context %}
-{{ statistics_channels(item.statistics_channels) }}
+{% include 'named.conf.statistics-channels.j2' %}
 {% endif %}
 {% if item.tls is defined and item.tls %}
-{% from 'named.conf.tls.j2' import tls with context %}
-{{ tls(item.tls) }}
+{% include 'named.conf.tls.j2' %}
 {% endif %}
 {% if item.trust_anchors is defined and item.trust_anchors %}
-{% from 'named.conf.trust-anchors.j2' import trust_anchors with context %}
-{{ trust_anchors(item.trust_anchors) }}
+{% include 'named.conf.trust-anchors.j2' %}
+{% endif %}
+{% if item.zones is defined and item.zones %}
+{% include 'named.conf.zone.j2' %}
 {% endif %}
 {% if item.view is defined and item.view %}
-{% from 'named.conf.view.j2' import view with context %}
-{{ view(item.view) }}
+{% include 'named.conf.view.j2' %}
 {% endif %}

templates/named.conf.http.j2

@@ -1,10 +1,10 @@
-{% macro http(seq) %}
-{% for http in seq if seq is iterable %}
+{% for http in item.http if item.http is iterable %}
+
 http {{ http.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if http.endpoints is defined and http.endpoints %}
 endpoints {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% for endpoint in http.endpoints %}
 {{ '"' + endpoint + '";' }} 
 {% endfor %}
@@ -14,4 +14,3 @@ endpoints {
 {{ ('streams-per-connection ' + http.streams_per_connection | string + ';\n') if http.streams_per_connection is defined and http.streams_per_connection -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.include.j2

@@ -1,5 +1,4 @@
-{% macro include(files) %}
-{% for file in files %}
+
+{% for file in item.include %}
 include "{{ file }}";
 {% endfor %}
-{% endmacro %}

templates/named.conf.key.j2

@@ -1,9 +1,8 @@
-{% macro keylist(keylists) %}
-{% for keyname in keylists if keylists is iterable %}
+{% for keyname in item.keylist if item.keylist is iterable %}
+
 key {{ keyname.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('algorithm ' + keyname.algorithm + ';\n') if keyname.algorithm is defined and keyname.algorithm -}}
 {{ ('secret "' + keyname.secret + '";\n') if keyname.secret is defined and keyname.secret -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.logging.j2

@@ -1,13 +1,13 @@
-{% macro logging(logging) %}
+
 logging {
-{% filter indent(2, true) %}
-{% for category in logging.categories if logging.categories is defined and logging.categories %}
+{% filter indent(bind9_config_indent, true) %}
+{% for category in item.logging.categories if item.logging.categories is defined and item.logging.categories %}
 category {{ category.name }} {
 {{ functions.simple_item_list(category.channels) }}};
 {% endfor %}
-{% for channel in logging.channels if logging.channels is defined and logging.channels %}
+{% for channel in item.logging.channels if item.logging.channels is defined and item.logging.channels %}
 channel {{ channel.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if channel.file is defined and channel.file %}
 file "{{ channel.file.name }}"
 {{- (' versions ' + channel.file.versions | string) if channel.file.versions is defined and channel.file.versions -}}
@@ -26,4 +26,3 @@ file "{{ channel.file.name }}"
 };
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.options.j2

@@ -1,9 +1,11 @@
-{% macro options(option) %}
+
+options {
+{% filter indent(bind9_config_indent,true)%}
 {# Unicorn Options#}
-{% if option.rrset_order is defined and option.rrset_order %}
+{% if item.options.rrset_order is defined and item.options.rrset_order %}
 rrset-order {
-{% filter indent(4, true) %}
-{% for rrset in option.rrset_order %}
+{% filter indent(bind9_config_indent, true) %}
+{% for rrset in item.options.rrset_order %}
 {{ ('class ' + rrset.class | string + ' ') if rrset.class is defined and rrset.class -}}
 {{ ('type ' + rrset.type | string + ' ') if rrset.type is defined and rrset.type -}}
 {{ ('name "' + rrset.name | string + '" ') if rrset.name is defined and rrset.name -}}
@@ -11,10 +13,10 @@ rrset-order {
 {% endfor %}
 {% endfilter %}};
 {% endif %}
-{% if option.response_policy is defined and option.response_policy %}
+{% if item.options.response_policy is defined and item.options.response_policy %}
 response-policy {
-{% filter indent(2, true) %}
-{% for zone in option.response_policy.zones %}
+{% filter indent(bind9_config_indent, true) %}
+{% for zone in item.options.response_policy.zones %}
 {{- ('zone ' + zone.zone | string) -}}
 {{- (' max-policy-ttl ' + zone.max_policy_ttl | string) if zone.max_policy_ttl is defined and zone.max_policy_ttl -}}
 {{- (' min-update-interval ' + zone.min_update_interval | string) if zone.min_update_interval is defined and zone.min_update_interval -}}
@@ -26,47 +28,47 @@ response-policy {
 {{- (' nsdname-enable ' + functions.named_boolean(zone.nsdname_enable)) if zone.nsdname_enable is defined }};
 {% endfor %}
 {% endfilter %}}
-{{- (' max-policy-ttl ' + option.response_policy.max_policy_ttl | string) if option.response_policy.max_policy_ttl is defined and option.response_policy.max_policy_ttl -}}
-{{- (' min-update-interval ' + option.response_policy.min_update_interval | string) if option.response_policy.min_update_interval is defined and option.response_policy.min_update_interval -}}
-{{- (' min-ns-dots ' + option.response_policy.min_ns_dots | string) if option.response_policy.min_ns_dots is defined and option.response_policy.min_ns_dots -}}
-{{- (' add-soa ' + functions.named_boolean(option.response_policy.add_soa)) if option.response_policy.add_soa is defined -}}
-{{- (' break-dnssec ' + functions.named_boolean(option.response_policy.break_dnssec)) if option.response_policy.break_dnssec is defined -}}
-{{- (' nsip-wait-recurse ' + functions.named_boolean(option.response_policy.nsip_wait_recurse)) if option.response_policy.nsip_wait_recurse is defined -}}
-{{- (' nsdname-wait-recurse ' + functions.named_boolean(option.response_policy.nsdname_wait_recurse)) if option.response_policy.nsdname_wait_recurse is defined -}}
-{{- (' qname-wait-recurse ' + functions.named_boolean(option.response_policy.qname_wait_recurse)) if option.response_policy.qname_wait_recurse is defined -}}
-{{- (' recursive-only ' + functions.named_boolean(option.response_policy.recursive_only)) if option.response_policy.recursive_only is defined -}}
-{{- (' nsip-enable ' + functions.named_boolean(option.response_policy.nsip_enable)) if option.response_policy.nsip_enable is defined -}}
-{{- (' nsdname-enable ' + functions.named_boolean(option.response_policy.nsdname_enable)) if option.response_policy.nsdname_enable is defined -}}
-{{- (' dnsrps-enable ' + functions.named_boolean(option.response_policy.dnsrps_enable)) if option.response_policy.dnsrps_enable is defined -}}
-{{- (' dnsrps-options {\n' + functions.simple_item_list(option.response_policy.dnsrps_options) + '}') if option.response_policy.dnsrps_options is defined and option.response_policy.dnsrps_options -}};
+{{- (' max-policy-ttl ' + item.options.response_policy.max_policy_ttl | string) if item.options.response_policy.max_policy_ttl is defined and item.options.response_policy.max_policy_ttl -}}
+{{- (' min-update-interval ' + item.options.response_policy.min_update_interval | string) if item.options.response_policy.min_update_interval is defined and item.options.response_policy.min_update_interval -}}
+{{- (' min-ns-dots ' + item.options.response_policy.min_ns_dots | string) if item.options.response_policy.min_ns_dots is defined and item.options.response_policy.min_ns_dots -}}
+{{- (' add-soa ' + functions.named_boolean(item.options.response_policy.add_soa)) if item.options.response_policy.add_soa is defined -}}
+{{- (' break-dnssec ' + functions.named_boolean(item.options.response_policy.break_dnssec)) if item.options.response_policy.break_dnssec is defined -}}
+{{- (' nsip-wait-recurse ' + functions.named_boolean(item.options.response_policy.nsip_wait_recurse)) if item.options.response_policy.nsip_wait_recurse is defined -}}
+{{- (' nsdname-wait-recurse ' + functions.named_boolean(item.options.response_policy.nsdname_wait_recurse)) if item.options.response_policy.nsdname_wait_recurse is defined -}}
+{{- (' qname-wait-recurse ' + functions.named_boolean(item.options.response_policy.qname_wait_recurse)) if item.options.response_policy.qname_wait_recurse is defined -}}
+{{- (' recursive-only ' + functions.named_boolean(item.options.response_policy.recursive_only)) if item.options.response_policy.recursive_only is defined -}}
+{{- (' nsip-enable ' + functions.named_boolean(item.options.response_policy.nsip_enable)) if item.options.response_policy.nsip_enable is defined -}}
+{{- (' nsdname-enable ' + functions.named_boolean(item.options.response_policy.nsdname_enable)) if item.options.response_policy.nsdname_enable is defined -}}
+{{- (' dnsrps-enable ' + functions.named_boolean(item.options.response_policy.dnsrps_enable)) if item.options.response_policy.dnsrps_enable is defined -}}
+{{- (' dnsrps-options { ' + item.options.response_policy.dnsrps_options | join('; ') + '; }') if item.options.response_policy.dnsrps_options is defined and item.options.response_policy.dnsrps_options -}};
 {% endif %}
-{% if option.response_padding is defined and option.response_padding %}
+{% if item.options.response_padding is defined and item.options.response_padding %}
 response-padding {
-{{ functions.simple_item_list(option.response_padding.addresses) }}}
-{{- (' block-size ' + option.response_padding.block_size | string) }}; 
+{{ functions.simple_item_list(item.options.response_padding.addresses) }}}
+{{- (' block-size ' + item.options.response_padding.block_size | string) }}; 
 {% endif %}
-{% if option.rate_limit is defined and option.rate_limit %}
+{% if item.options.rate_limit is defined and item.options.rate_limit %}
 rate-limit {
-{% filter indent(2, true) %}
-{{ ('all-per-second ' + option.rate_limit.all_per_second | string + ';\n') if option.rate_limit.all_per_second is defined and option.rate_limit.all_per_second -}}
-{{ ('errors-per-second ' + option.rate_limit.errors_per_second | string + ';\n') if option.rate_limit.errors_per_second is defined and option.rate_limit.errors_per_second -}}
-{{ ('responses-per-second ' + option.rate_limit.responses_per_second | string + ';\n') if option.rate_limit.responses_per_second is defined and option.rate_limit.responses_per_second -}}
-{{ ('referrals-per-second ' + option.rate_limit.referrals_per_second | string + ';\n') if option.rate_limit.referrals_per_second is defined and option.rate_limit.referrals_per_second -}}
-{{ ('nodata-per-second ' + option.rate_limit.nodata_per_second | string + ';\n') if option.rate_limit.nodata_per_second is defined and option.rate_limit.nodata_per_second -}}
-{{ ('nxdomains-per-second ' + option.rate_limit.nxdomains_per_second | string + ';\n') if option.rate_limit.nxdomains_per_second is defined and option.rate_limit.nxdomains_per_second -}}
-{{ ('ipv4-prefix-length ' + option.rate_limit.ipv4_prefix_length | string + ';\n') if option.rate_limit.ipv4_prefix_length is defined and option.rate_limit.ipv4_prefix_length -}}
-{{ ('ipv6-prefix-length ' + option.rate_limit.ipv6_prefix_length | string + ';\n') if option.rate_limit.ipv6_prefix_length is defined and option.rate_limit.ipv6_prefix_length -}}
-{{ ('max-table-size ' + option.rate_limit.max_table_size | string + ';\n') if option.rate_limit.max_table_size is defined and option.rate_limit.max_table_size -}}
-{{ ('min-table-size ' + option.rate_limit.min_table_size | string + ';\n') if option.rate_limit.min_table_size is defined and option.rate_limit.min_table_size -}}
-{{ ('qps-scale ' + option.rate_limit.qps_scale | string + ';\n') if option.rate_limit.qps_scale is defined and option.rate_limit.qps_scale -}}
-{{ ('window ' + option.rate_limit.window | string + ';\n') if option.rate_limit.window is defined and option.rate_limit.window -}}
-{{ ('slip ' + option.rate_limit.slip | string + ';\n') if option.rate_limit.slip is defined and option.rate_limit.slip -}}
-{{ ('log-only ' + functions.named_boolean(option.rate_limit.log_only) + ';\n') if option.rate_limit.log_only is defined -}}
-{{ ('exempt-clients {\n' + functions.simple_item_list(option.rate_limit.exempt_clients) + '};\n') if option.rate_limit.exempt_clients is defined and option.rate_limit.exempt_clients -}}
+{% filter indent(bind9_config_indent, true) %}
+{{ ('all-per-second ' + item.options.rate_limit.all_per_second | string + ';\n') if item.options.rate_limit.all_per_second is defined and item.options.rate_limit.all_per_second -}}
+{{ ('errors-per-second ' + item.options.rate_limit.errors_per_second | string + ';\n') if item.options.rate_limit.errors_per_second is defined and item.options.rate_limit.errors_per_second -}}
+{{ ('responses-per-second ' + item.options.rate_limit.responses_per_second | string + ';\n') if item.options.rate_limit.responses_per_second is defined and item.options.rate_limit.responses_per_second -}}
+{{ ('referrals-per-second ' + item.options.rate_limit.referrals_per_second | string + ';\n') if item.options.rate_limit.referrals_per_second is defined and item.options.rate_limit.referrals_per_second -}}
+{{ ('nodata-per-second ' + item.options.rate_limit.nodata_per_second | string + ';\n') if item.options.rate_limit.nodata_per_second is defined and item.options.rate_limit.nodata_per_second -}}
+{{ ('nxdomains-per-second ' + item.options.rate_limit.nxdomains_per_second | string + ';\n') if item.options.rate_limit.nxdomains_per_second is defined and item.options.rate_limit.nxdomains_per_second -}}
+{{ ('ipv4-prefix-length ' + item.options.rate_limit.ipv4_prefix_length | string + ';\n') if item.options.rate_limit.ipv4_prefix_length is defined and item.options.rate_limit.ipv4_prefix_length -}}
+{{ ('ipv6-prefix-length ' + item.options.rate_limit.ipv6_prefix_length | string + ';\n') if item.options.rate_limit.ipv6_prefix_length is defined and item.options.rate_limit.ipv6_prefix_length -}}
+{{ ('max-table-size ' + item.options.rate_limit.max_table_size | string + ';\n') if item.options.rate_limit.max_table_size is defined and item.options.rate_limit.max_table_size -}}
+{{ ('min-table-size ' + item.options.rate_limit.min_table_size | string + ';\n') if item.options.rate_limit.min_table_size is defined and item.options.rate_limit.min_table_size -}}
+{{ ('qps-scale ' + item.options.rate_limit.qps_scale | string + ';\n') if item.options.rate_limit.qps_scale is defined and item.options.rate_limit.qps_scale -}}
+{{ ('window ' + item.options.rate_limit.window | string + ';\n') if item.options.rate_limit.window is defined and item.options.rate_limit.window -}}
+{{ ('slip ' + item.options.rate_limit.slip | string + ';\n') if item.options.rate_limit.slip is defined and item.options.rate_limit.slip -}}
+{{ ('log-only ' + functions.named_boolean(item.options.rate_limit.log_only) + ';\n') if item.options.rate_limit.log_only is defined -}}
+{{ ('exempt-clients {\n' + functions.simple_item_list(item.options.rate_limit.exempt_clients) + '};\n') if item.options.rate_limit.exempt_clients is defined and item.options.rate_limit.exempt_clients -}}
 {% endfilter %}};
 {% endif %}
-{% if option.listen_on_v6 is defined and option.listen_on_v6 %}
-{% for listen in option.listen_on_v6 if option.listen_on_v6 is not mapping %}
+{% if item.options.listen_on_v6 is defined and item.options.listen_on_v6 %}
+{% for listen in item.options.listen_on_v6 if item.options.listen_on_v6 is not mapping %}
 listen-on-v6
 {{- (' port ' + listen.port | string) if listen.port is defined and listen.port -}}
 {{- (' dscp ' + listen.dscp | string) if listen.dscp is defined and listen.dscp -}}
@@ -75,15 +77,15 @@ listen-on-v6
 {{ functions.simple_item_list(listen.addresses) }}};
 {% else %}
 listen-on-v6
-{{- (' port ' + option.listen_on_v6.port | string) if option.listen_on_v6.port is defined and option.listen_on_v6.port -}}
-{{- (' dscp ' + option.listen_on_v6.dscp | string) if option.listen_on_v6.dscp is defined and option.listen_on_v6.dscp -}}
-{{- (' tls ' + option.listen_on_v6.tls | string) if option.listen_on_v6.tls is defined and option.listen_on_v6.tls -}}
-{{- (' http ' + option.listen_on_v6.http | string) if option.listen_on_v6.http is defined and option.listen_on_v6.http }} {
-{{ functions.simple_item_list(option.listen_on_v6.addresses) }}};
+{{- (' port ' + item.options.listen_on_v6.port | string) if item.options.listen_on_v6.port is defined and item.options.listen_on_v6.port -}}
+{{- (' dscp ' + item.options.listen_on_v6.dscp | string) if item.options.listen_on_v6.dscp is defined and item.options.listen_on_v6.dscp -}}
+{{- (' tls ' + item.options.listen_on_v6.tls | string) if item.options.listen_on_v6.tls is defined and item.options.listen_on_v6.tls -}}
+{{- (' http ' + item.options.listen_on_v6.http | string) if item.options.listen_on_v6.http is defined and item.options.listen_on_v6.http }} {
+{{ functions.simple_item_list(item.options.listen_on_v6.addresses) }}};
 {% endfor %}
 {% endif %}
-{% if option.listen_on is defined and option.listen_on %}
-{% for listen in option.listen_on if option.listen_on is not mapping %}
+{% if item.options.listen_on is defined and item.options.listen_on %}
+{% for listen in item.options.listen_on if item.options.listen_on is not mapping %}
 listen-on
 {{- (' port ' + listen.port | string) if listen.port is defined and listen.port -}}
 {{- (' dscp ' + listen.dscp | string) if listen.dscp is defined and listen.dscp -}}
@@ -92,46 +94,46 @@ listen-on
 {{ functions.simple_item_list(listen.addresses) }}};
 {% else %}
 listen-on
-{{- (' port ' + option.listen_on.port | string) if option.listen_on.port is defined and option.listen_on.port -}}
-{{- (' dscp ' + option.listen_on.dscp | string) if option.listen_on.dscp is defined and option.listen_on.dscp -}}
-{{- (' tls ' + option.listen_on.tls | string) if option.listen_on.tls is defined and option.listen_on.tls -}}
-{{- (' http ' + option.listen_on.http | string) if option.listen_on.http is defined and option.listen_on.http }} {
-{{ functions.simple_item_list(option.listen_on.addresses) }}};
+{{- (' port ' + item.options.listen_on.port | string) if item.options.listen_on.port is defined and item.options.listen_on.port -}}
+{{- (' dscp ' + item.options.listen_on.dscp | string) if item.options.listen_on.dscp is defined and item.options.listen_on.dscp -}}
+{{- (' tls ' + item.options.listen_on.tls | string) if item.options.listen_on.tls is defined and item.options.listen_on.tls -}}
+{{- (' http ' + item.options.listen_on.http | string) if item.options.listen_on.http is defined and item.options.listen_on.http }} {
+{{ functions.simple_item_list(item.options.listen_on.addresses) }}};
 {% endfor %}
 {% endif %}
-{{ functions.parent_address_port_dscp("forwarders", option.forwarders) if option.forwarders is defined and option.forwarders -}}
-{% if option.dual_stack_servers is defined and option.dual_stack_servers %}
+{{ functions.parent_address_port_tls('forwarders', item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
+{% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
 dual-stack-servers
-{{ (' port ' + option.dual_stack_servers.port | string) if option.dual_stack_servers.port is defined and option.dual_stack_servers }} {
-{% for host in option.dual_stack_servers.addresses %}
-{% filter indent(2, true) %}
+{{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {
+{% for host in item.options.dual_stack_servers.addresses %}
+{% filter indent(bind9_config_indent, true) %}
 {{ host.address | ansible.utils.ipaddr | ternary(host.address, '"' + host.address + '"') }}
 {{- (' port ' + host.port | string) if host.port is defined and host.port -}}
 {{- (' dscp ' + host.dscp | string) if host.dscp is defined and host.dscp -}};
 {% endfilter %}
 {% endfor %}};
 {% endif %}
-{% if option.dnstap_output is defined and option.dnstap_output %}
-dnstap-output {{ option.dnstap_output.output_type -}}
-{{- ' "' + option.dnstap_output.output_file + '"' -}}
-{{- (' size ' + option.dnstap_output.size | string) if option.dnstap_output.size is defined and option.dnstap_output.size -}}
-{{- (' versions ' + option.dnstap_output.versions | string) if option.dnstap_output.versions is defined and option.dnstap_output.versions -}}
-{{- (' suffix ' + option.dnstap_output.suffix | string) if option.dnstap_output.suffix is defined and option.dnstap_output.suffix -}};
+{% if item.options.dnstap_output is defined and item.options.dnstap_output %}
+dnstap-output {{ item.options.dnstap_output.output_type -}}
+{{- ' "' + item.options.dnstap_output.output_file + '"' -}}
+{{- (' size ' + item.options.dnstap_output.size | string) if item.options.dnstap_output.size is defined and item.options.dnstap_output.size -}}
+{{- (' versions ' + item.options.dnstap_output.versions | string) if item.options.dnstap_output.versions is defined and item.options.dnstap_output.versions -}}
+{{- (' suffix ' + item.options.dnstap_output.suffix | string) if item.options.dnstap_output.suffix is defined and item.options.dnstap_output.suffix -}};
 {% endif %}
-{% if option.dnstap is defined and option.dnstap %}
+{% if item.options.dnstap is defined and item.options.dnstap %}
 dnstap {
-{% filter indent(2, true) %}
-{% for dnstap in option.dnstap %}
+{% filter indent(bind9_config_indent, true) %}
+{% for dnstap in item.options.dnstap %}
 {{ dnstap.type }}{{ ' ' + dnstap.log if dnstap.log is defined and dnstap.log }};
 {% endfor %}
 {% endfilter %}};
 {% endif %}
-{% if option.dns64 is defined and option.dns64 %}
-{% for dns64 in option.dns64 if option.dns64 is sequence %}
+{% if item.options.dns64 is defined and item.options.dns64 %}
+{% for dns64 in item.options.dns64 if item.options.dns64 is sequence %}
 dns64 {{ dns64.netprefix }} {
-{% filter indent(2, true) %}
-{{ ('break-dnssec ' + dns64.break_dnssec | functions.named_boolean + ';\n') if dns64.break_dnssec is defined and dns64.break_dnssec is boolean -}}
-{{ ('recursive-only ' + dns64.recursive_only | functions.named_boolean + ';\n') if dns64.recursive_only is defined and dns64.recursive_only is boolean -}}
+{% filter indent(bind9_config_indent, true) %}
+{{ ('break-dnssec ' + functions.named_boolean(dns64.break_dnssec) + ';\n') if dns64.break_dnssec is defined and dns64.break_dnssec is boolean -}}
+{{ ('recursive-only ' + functions.named_boolean(dns64.recursive_only) + ';\n') if dns64.recursive_only is defined and dns64.recursive_only is boolean -}}
 {{ ('suffix ' + dns64.suffix + ';\n') if dns64.suffix is defined and dns64.suffix -}}
 {{ ("clients {\n" + functions.simple_item_list(dns64.clients) + "};\n") if dns64.clients is defined and dns64.clients -}}
 {{ ("exclude {\n" + functions.simple_item_list(dns64.exclude) + "};\n") if dns64.exclude is defined and dns64.exclude -}}
@@ -139,32 +141,32 @@ dns64 {{ dns64.netprefix }} {
 {% endfilter %}};
 {% endfor %}
 {% endif %}
-{% if option.deny_answer_aliases is defined and option.deny_answer_aliases %}
+{% if item.options.deny_answer_aliases is defined and item.options.deny_answer_aliases %}
 deny-answer-aliases {
-{{ functions.simple_item_list(option.deny_answer_aliases.names) }}}
-{%- if option.deny_answer_aliases.except_from is defined and option.deny_answer_aliases.except_from %}
+{{ functions.simple_item_list(item.options.deny_answer_aliases.names) }}}
+{%- if item.options.deny_answer_aliases.except_from is defined and item.options.deny_answer_aliases.except_from %}
  except-from {
-{{ functions.simple_item_list(option.deny_answer_aliases.except_from, 4) }}}
+{{ functions.simple_item_list(item.options.deny_answer_aliases.except_from, 4) }}}
 {%- endif %};
 {% endif %}
-{% if option.deny_answer_addresses is defined and option.deny_answer_addresses %}
+{% if item.options.deny_answer_addresses is defined and item.options.deny_answer_addresses %}
 deny-answer-addresses {
-{{ functions.simple_item_list(option.deny_answer_addresses.addresses) }}}
-{%- if option.deny_answer_addresses.except_from is defined and option.deny_answer_addresses.except_from %}
+{{ functions.simple_item_list(item.options.deny_answer_addresses.addresses) }}}
+{%- if item.options.deny_answer_addresses.except_from is defined and item.options.deny_answer_addresses.except_from %}
  except-from {
-{{ functions.simple_item_list(option.deny_answer_addresses.except_from, 4) }}}
+{{ functions.simple_item_list(item.options.deny_answer_addresses.except_from, 4) }}}
 {%- endif %};
 {% endif %}
-{% if option.check_names is defined and option.check_names %}
-{% for policy in option.check_names %}
+{% if item.options.check_names is defined and item.options.check_names %}
+{% for policy in item.options.check_names %}
 check-names {{ policy.type }} {{ policy.action }};
 {% endfor %}
 {% endif %}
-{% if option.catalog_zones is defined and option.catalog_zones %}
+{% if item.options.catalog_zones is defined and item.options.catalog_zones %}
 catalog-zones {
-{% for catalog_zone in option.catalog_zones %}
+{% for catalog_zone in item.options.catalog_zones %}
 zone {{ catalog_zone.zone }}
-{% filter indent(6, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if catalog_zone.default_primaries is defined and catalog_zone.default_primaries %}
 default-primaries
 {{- (' port ' + catalog_zone.default_primaries.port | string) if catalog_zone.default_primaries.port is defined and catalog_zone.default_primaries.port -}}
@@ -172,293 +174,295 @@ default-primaries
 {{ functions.list_address_port_key_tls(catalog_zone.default_primaries.primaries) }}}
 {% endif %}
 {{ ('zone-directory "' + catalog_zone.zone_directory + '"') if catalog_zone.zone_directory is defined and catalog_zone.zone_directory }}
-{{ ('in-memory ' + (catalog_zone.in_memory | functions.named_boolean ) | string) if catalog_zone.in_memory is defined and catalog_zone.in_memory is boolean }}
+{{ ('in-memory ' + (functions.named_boolean(catalog_zone.in_memory)) | string) if catalog_zone.in_memory is defined and catalog_zone.in_memory is boolean }}
 {{ ('min-update-interval ' + catalog_zone.min_update_interval | string) if catalog_zone.min_update_interval is defined and catalog_zone.min_update_interval}};
 {% endfilter %}
 {% endfor %}};
 {% endif %}
-{{ functions.single_ip_port_dscp('transfer-source', option.transfer_source) if option.transfer_source is defined and option.transfer_source -}}
-{{ functions.single_ip_port_dscp('transfer-source-v6', option.transfer_source_v6) if option.transfer_source_v6 is defined and option.transfer_source_v6 -}}
-{{ functions.single_ip_port_dscp('alt-transfer-source', option.alt_transfer_source) if option.alt_transfer_source is defined and option.alt_transfer_source -}}
-{{ functions.single_ip_port_dscp('alt-transfer-source-v6', option.alt_transfer_source_v6) if option.alt_transfer_source_v6 is defined and option.alt_transfer_source_v6 -}}
-{{ functions.single_ip_port_dscp('query-source', option.query_source) if option.query_source is defined and option.query_source -}}
-{{ functions.single_ip_port_dscp('query-source-v6', option.query_source_v6) if option.query_source_v6 is defined and option.query_source_v6 -}}
-{{ functions.single_ip_port_dscp('parental-source', option.parental_source) if option.parental_source is defined and option.parental_source -}}
-{{ functions.single_ip_port_dscp('parental-source-v6', option.parental_source_v6) if option.parental_source_v6 is defined and option.parental_source_v6 -}}
-{{ functions.single_ip_port_dscp('notify-source', option.notify_source) if option.notify_source is defined and option.notify_source -}}
-{{ functions.single_ip_port_dscp('notify-source-v6', option.notify_source_v6) if option.notify_source_v6 is defined and option.notify_source_v6 -}}
-{% if option.also_notify is defined and option.also_notify is not string %}
+{{ functions.single_ip_port_dscp('transfer-source', item.options.transfer_source) if item.options.transfer_source is defined and item.options.transfer_source -}}
+{{ functions.single_ip_port_dscp('transfer-source-v6', item.options.transfer_source_v6) if item.options.transfer_source_v6 is defined and item.options.transfer_source_v6 -}}
+{{ functions.single_ip_port_dscp('alt-transfer-source', item.options.alt_transfer_source) if item.options.alt_transfer_source is defined and item.options.alt_transfer_source -}}
+{{ functions.single_ip_port_dscp('alt-transfer-source-v6', item.options.alt_transfer_source_v6) if item.options.alt_transfer_source_v6 is defined and item.options.alt_transfer_source_v6 -}}
+{{ functions.single_ip_port_dscp('query-source', item.options.query_source) if item.options.query_source is defined and item.options.query_source -}}
+{{ functions.single_ip_port_dscp('query-source-v6', item.options.query_source_v6) if item.options.query_source_v6 is defined and item.options.query_source_v6 -}}
+{{ functions.single_ip_port_dscp('parental-source', item.options.parental_source) if item.options.parental_source is defined and item.options.parental_source -}}
+{{ functions.single_ip_port_dscp('parental-source-v6', item.options.parental_source_v6) if item.options.parental_source_v6 is defined and item.options.parental_source_v6 -}}
+{{ functions.single_ip_port_dscp('notify-source', item.options.notify_source) if item.options.notify_source is defined and item.options.notify_source -}}
+{{ functions.single_ip_port_dscp('notify-source-v6', item.options.notify_source_v6) if item.options.notify_source_v6 is defined and item.options.notify_source_v6 -}}
+{% if item.options.also_notify is defined and item.options.also_notify is not string %}
 also-notify
-{{- (' port ' + option.also_notify.port | string) if option.also_notify.port is defined and option.also_notify.port -}}
-{{- (' dscp ' + option.also_notify.dscp | string) if option.also_notify.dscp is defined and option.also_notify.dscp }} {
-{{ functions.list_address_port_key_tls(option.also_notify.addresses) }}};
+{{- (' port ' + item.options.also_notify.port | string) if item.options.also_notify.port is defined and item.options.also_notify.port -}}
+{{- (' dscp ' + item.options.also_notify.dscp | string) if item.options.also_notify.dscp is defined and item.options.also_notify.dscp }} {
+{{ functions.list_address_port_key_tls(item.options.also_notify.addresses) }}};
 {% endif %}
-{% if option.allow_transfer is defined and option.allow_transfer is not string %}
+{% if item.options.allow_transfer is defined and item.options.allow_transfer is not string %}
 allow-transfer
-{{- (' port ' + option.allow_transfer.port | string) if option.allow_transfer.port is defined and option.allow_transfer.port -}}
-{{- (' transport ' + option.allow_transfer.transport) if option.allow_transfer.transport is defined and option.allow_transfer.transport }} {
-{{ functions.simple_item_list(option.allow_transfer.addresses) }}};
+{{- (' port ' + item.options.allow_transfer.port | string) if item.options.allow_transfer.port is defined and item.options.allow_transfer.port -}}
+{{- (' transport ' + item.options.allow_transfer.transport) if item.options.allow_transfer.transport is defined and item.options.allow_transfer.transport }} {
+{{ functions.simple_item_list(item.options.allow_transfer.addresses) }}};
 {% endif %}
 {# The rest #}
-{% if option.disable_algorithms is defined and option.disable_algorithms %}
-{% for item in option.disable_algorithms %}
+{% if item.options.disable_algorithms is defined and item.options.disable_algorithms %}
+{% for item in item.options.disable_algorithms %}
 disable-algorithms {{ item.domain }} { "{{ item.algorithms | join('"; "') }}"; };
 {% endfor %}
 {% endif %}
-{% if option.disable_ds_digests is defined and option.disable_ds_digests %}
-{% for item in option.disable_ds_digests %}
+{% if item.options.disable_ds_digests is defined and item.options.disable_ds_digests %}
+{% for item in item.options.disable_ds_digests %}
 disable-ds-digests {{ item.domain }} { "{{ item.digests | join('"; "') }}"; };
 {% endfor %}
 {% endif %}
 {# Oddball simple options #}
-{% if option.fetch_quota_params is defined and option.fetch_quota_params is string %}
-fetch-quota-params {{ option.fetch_quota_params }};
+{% if item.options.fetch_quota_params is defined and item.options.fetch_quota_params is string %}
+fetch-quota-params {{ item.options.fetch_quota_params }};
 {% endif %}
-{% if option.fetches_per_server is defined and option.fetches_per_server is string %}
-fetches-per-server {{ option.fetches_per_server }};
+{% if item.options.fetches_per_server is defined and item.options.fetches_per_server is string %}
+fetches-per-server {{ item.options.fetches_per_server }};
 {% endif %}
-{% if option.fetches_per_zone is defined and option.fetches_per_zone is string %}
-fetches-per-zone {{ option.fetches_per_zone }};
+{% if item.options.fetches_per_zone is defined and item.options.fetches_per_zone is string %}
+fetches-per-zone {{ item.options.fetches_per_zone }};
 {% endif %}
-{% if option.prefetch is defined and option.prefetch %}
-prefetch {{ option.prefetch }};
+{% if item.options.prefetch is defined and item.options.prefetch %}
+prefetch {{ item.options.prefetch }};
 {% endif %}
-{% if option.root_delegation_only is defined and option.root_delegation_only %}
-root-delegation-only{% if option.root_delegation_only.exclude is defined and option.root_delegation_only.exclude is sequence %} exclude {
-{{ functions.simple_item_list(options.root_delegation_only.exclude) }}}
+{% if item.options.root_delegation_only is defined and item.options.root_delegation_only %}
+root-delegation-only{% if item.options.root_delegation_only.exclude is defined and item.options.root_delegation_only.exclude is sequence %} exclude {
+{{ functions.simple_item_list(item.options.root_delegation_only.exclude) }}}
 {% endif %};
 {% endif %}
-{% if option.sig_validity_interval is defined and option.sig_validity_interval %}
-sig-validity-interval {{ option.sig_validity_interval }};
+{% if item.options.sig_validity_interval is defined and item.options.sig_validity_interval %}
+sig-validity-interval {{ item.options.sig_validity_interval }};
 {% endif %}
-{% if option.tkey_dhkey is defined and option.tkey_dhkey is mapping %}
-tkey-dhkey "{{ option.tkey_dhkey.key_name }}" {{ option.tkey_dhkey.key_tag }};
+{% if item.options.tkey_dhkey is defined and item.options.tkey_dhkey is mapping %}
+tkey-dhkey "{{ item.options.tkey_dhkey.key_name }}" {{ item.options.tkey_dhkey.key_tag }};
 {% endif %}
 {# special_quoted_string options with reserved keywords #}
-{% if option.dnstap_identity is defined and option.dnstap_identity is string %}
-{{ functions.reserved_or_quoted('dnstap-identity', option.dnstap_identity, ['none', 'hostname']) -}}
+{% if item.options.dnstap_identity is defined and item.options.dnstap_identity is string %}
+{{ functions.reserved_or_quoted('dnstap-identity', item.options.dnstap_identity, ['none', 'hostname']) -}}
 {% endif %}
-{% if option.dnstap_version is defined and option.dnstap_version is string %}
-{{ functions.reserved_or_quoted('dnstap-version', option.dnstap_version, ['none']) -}}
+{% if item.options.dnstap_version is defined and item.options.dnstap_version is string %}
+{{ functions.reserved_or_quoted('dnstap-version', item.options.dnstap_version, ['none']) -}}
 {% endif %}
-{% if option.geoip_directory is defined and option.geoip_directory is string %}
-{{ functions.reserved_or_quoted('geoip-directory', option.geoip_directory, ['none']) -}}
+{% if item.options.geoip_directory is defined and item.options.geoip_directory is string %}
+{{ functions.reserved_or_quoted('geoip-directory', item.options.geoip_directory, ['none']) -}}
 {% endif %}
-{% if option.hostname is defined and option.hostname is string %}
-{{ functions.reserved_or_quoted('hostname', option.hostname, ['none']) -}} 
+{% if item.options.hostname is defined and item.options.hostname is string %}
+{{ functions.reserved_or_quoted('hostname', item.options.hostname, ['none']) -}} 
 {% endif %}
-{% if option.lock_file is defined and option.lock_file is string %}
-{{ functions.reserved_or_quoted('lock-file', option.lock_file, ['none']) -}}
+{% if item.options.lock_file is defined and item.options.lock_file is string %}
+{{ functions.reserved_or_quoted('lock-file', item.options.lock_file, ['none']) -}}
 {% endif %}
-{% if option.pid_file is defined and option.pid_file is string %}
-{{ functions.reserved_or_quoted('pid-file', option.pid_file, ['none']) -}}
+{% if item.options.pid_file is defined and item.options.pid_file is string %}
+{{ functions.reserved_or_quoted('pid-file', item.options.pid_file, ['none']) -}}
 {% endif %}
-{% if option.random_device is defined and option.random_device is string %}
-{{ functions.reserved_or_quoted('random-device', option.random_device, ['none']) -}}
+{% if item.options.random_device is defined and item.options.random_device is string %}
+{{ functions.reserved_or_quoted('random-device', item.options.random_device, ['none']) -}}
 {% endif %}
-{% if option.server_id is defined and option.server_id is string %}
-{{ functions.reserved_or_quoted('server-id', option.server_id, ['none', 'hostname']) -}}
+{% if item.options.server_id is defined and item.options.server_id is string %}
+{{ functions.reserved_or_quoted('server-id', item.options.server_id, ['none', 'hostname']) -}}
 {% endif %}
-{% if option.session_keyfile is defined and option.session_keyfile is string %}
-{{ functions.reserved_or_quoted('session-keyfile', option.session_keyfile, ['none']) -}}
+{% if item.options.session_keyfile is defined and item.options.session_keyfile is string %}
+{{ functions.reserved_or_quoted('session-keyfile', item.options.session_keyfile, ['none']) -}}
 {% endif %}
-{% if option.version is defined and option.version is string %}
-{{ functions.reserved_or_quoted('version', option.version, ['none']) -}}
+{% if item.options.version is defined and item.options.version is string %}
+{{ functions.reserved_or_quoted('version', item.options.version, ['none']) -}}
 {% endif %}
 {# simple list options #}
-{{ ('avoid-v4-udp-ports {\n' + functions.simple_item_list(option.avoid_v4_udp_ports) + '};\n') if option.avoid_v4_udp_ports is defined and option.avoid_v4_udp_ports -}}
-{{ ('avoid-v6-udp-ports {\n' + functions.simple_item_list(option.avoid_v6_udp_ports) + '};\n') if option.avoid_v6_udp_ports is defined and option.avoid_v6_udp_ports -}}
-{{ ('use-v4-udp-ports {\n' + functions.simple_item_list(option.use_v4_udp_ports) + '};\n') if option.use_v4_udp_ports is defined and option.use_v4_udp_ports -}}
-{{ ('use-v6-udp-ports {\n' + functions.simple_item_list(option.use_v6_udp_ports) + '};\n') if option.use_v6_udp_ports is defined and option.use_v6_udp_ports -}}
-{{ ('validate-except {\n' + functions.simple_item_list(option.validate_except) + '};\n') if option.validate_except is defined and option.validate_except -}}
+{{ ('avoid-v4-udp-ports {\n' + functions.simple_item_list(item.options.avoid_v4_udp_ports) + '};\n') if item.options.avoid_v4_udp_ports is defined and item.options.avoid_v4_udp_ports -}}
+{{ ('avoid-v6-udp-ports {\n' + functions.simple_item_list(item.options.avoid_v6_udp_ports) + '};\n') if item.options.avoid_v6_udp_ports is defined and item.options.avoid_v6_udp_ports -}}
+{{ ('use-v4-udp-ports {\n' + functions.simple_item_list(item.options.use_v4_udp_ports) + '};\n') if item.options.use_v4_udp_ports is defined and item.options.use_v4_udp_ports -}}
+{{ ('use-v6-udp-ports {\n' + functions.simple_item_list(item.options.use_v6_udp_ports) + '};\n') if item.options.use_v6_udp_ports is defined and item.options.use_v6_udp_ports -}}
+{{ ('validate-except {\n' + functions.simple_item_list(item.options.validate_except) + '};\n') if item.options.validate_except is defined and item.options.validate_except -}}
 {# boolean_or_string options #}
-{{ ('dialup ' + functions.boolean_or_string(option.dialup) + ';\n') if option.dialup is defined -}}
-{{ ('ixfr-from-differences ' + functions.boolean_or_string(option.ixfr_from_differences) + ';\n') if option.ixfr_from_differences is defined -}}
-{{ ('minimal-responses ' + functions.boolean_or_string(option.minimal_responses) + ';\n') if option.minimal_responses is defined -}}
-{{ ('notify ' + functions.boolean_or_string(option.notify) + ';\n') if option.notify is defined -}}
-{{ ('zone-statistics ' + functions.boolean_or_string(option.zone_statistics) + ';\n') if option.zone_statistics is defined -}}
+{{ ('dialup ' + functions.boolean_or_string(item.options.dialup) + ';\n') if item.options.dialup is defined -}}
+{{ ('ixfr-from-differences ' + functions.boolean_or_string(item.options.ixfr_from_differences) + ';\n') if item.options.ixfr_from_differences is defined -}}
+{{ ('minimal-responses ' + functions.boolean_or_string(item.options.minimal_responses) + ';\n') if item.options.minimal_responses is defined -}}
+{{ ('notify ' + functions.boolean_or_string(item.options.notify) + ';\n') if item.options.notify is defined -}}
+{{ ('zone-statistics ' + functions.boolean_or_string(item.options.zone_statistics) + ';\n') if item.options.zone_statistics is defined -}}
 {# duration_sizeval options #}
-{{ ('fstrm-set-reopen-interval ' + option.fstrm_set_reopen_interval | string +';\n') if option.fstrm_set_reopen_interval is defined and option.fstrm_set_reopen_interval -}}
-{{ ('interface-interval ' + option.interface_interval | string +';\n') if option.interface_interval is defined and option.interface_interval -}}
-{{ ('lame-ttl ' + option.lame_ttl | string +';\n') if option.lame_ttl is defined and option.lame_ttl -}}
-{{ ('lmdb-mapsize ' + option.lmdb_mapsize | string +';\n') if option.lmdb_mapsize is defined and option.lmdb_mapsize -}}
-{{ ('max-cache-ttl ' + option.max_cache_ttl | string +';\n') if option.max_cache_ttl is defined and option.max_cache_ttl -}}
-{{ ('max-ncache-ttl ' + option.max_ncache_ttl | string +';\n') if option.max_ncache_ttl is defined and option.max_ncache_ttl -}}
-{{ ('max-stale-ttl ' + option.max_stale_ttl | string +';\n') if option.max_stale_ttl is defined and option.max_stale_ttl -}}
-{{ ('min-cache-ttl ' + option.min_cache_ttl | string +';\n') if option.min_cache_ttl is defined and option.min_cache_ttl -}}
-{{ ('min-ncache-ttl ' + option.min_ncache_ttl | string +';\n') if option.min_ncache_ttl is defined and option.min_ncache_ttl -}}
-{{ ('nta-lifetime ' + option.nta_lifetime | string +';\n') if option.nta_lifetime is defined and option.nta_lifetime -}}
-{{ ('nta-recheck ' + option.nta_recheck | string +';\n') if option.nta_recheck is defined and option.nta_recheck -}}
-{{ ('servfail-ttl ' + option.servfail_ttl | string +';\n') if option.servfail_ttl is defined and option.servfail_ttl -}}
-{{ ('stale-answer-ttl ' + option.stale_answer_ttl | string +';\n') if option.stale_answer_ttl is defined and option.stale_answer_ttl -}}
-{{ ('stale-refresh-time ' + option.stale_refresh_time | string +';\n') if option.stale_refresh_time is defined and option.stale_refresh_time -}}
+{{ ('fstrm-set-reopen-interval ' + item.options.fstrm_set_reopen_interval | string +';\n') if item.options.fstrm_set_reopen_interval is defined and item.options.fstrm_set_reopen_interval -}}
+{{ ('interface-interval ' + item.options.interface_interval | string +';\n') if item.options.interface_interval is defined and item.options.interface_interval -}}
+{{ ('lame-ttl ' + item.options.lame_ttl | string +';\n') if item.options.lame_ttl is defined and item.options.lame_ttl -}}
+{{ ('lmdb-mapsize ' + item.options.lmdb_mapsize | string +';\n') if item.options.lmdb_mapsize is defined and item.options.lmdb_mapsize -}}
+{{ ('max-cache-ttl ' + item.options.max_cache_ttl | string +';\n') if item.options.max_cache_ttl is defined and item.options.max_cache_ttl -}}
+{{ ('max-ncache-ttl ' + item.options.max_ncache_ttl | string +';\n') if item.options.max_ncache_ttl is defined and item.options.max_ncache_ttl -}}
+{{ ('max-stale-ttl ' + item.options.max_stale_ttl | string +';\n') if item.options.max_stale_ttl is defined and item.options.max_stale_ttl -}}
+{{ ('min-cache-ttl ' + item.options.min_cache_ttl | string +';\n') if item.options.min_cache_ttl is defined and item.options.min_cache_ttl -}}
+{{ ('min-ncache-ttl ' + item.options.min_ncache_ttl | string +';\n') if item.options.min_ncache_ttl is defined and item.options.min_ncache_ttl -}}
+{{ ('nta-lifetime ' + item.options.nta_lifetime | string +';\n') if item.options.nta_lifetime is defined and item.options.nta_lifetime -}}
+{{ ('nta-recheck ' + item.options.nta_recheck | string +';\n') if item.options.nta_recheck is defined and item.options.nta_recheck -}}
+{{ ('servfail-ttl ' + item.options.servfail_ttl | string +';\n') if item.options.servfail_ttl is defined and item.options.servfail_ttl -}}
+{{ ('stale-answer-ttl ' + item.options.stale_answer_ttl | string +';\n') if item.options.stale_answer_ttl is defined and item.options.stale_answer_ttl -}}
+{{ ('stale-refresh-time ' + item.options.stale_refresh_time | string +';\n') if item.options.stale_refresh_time is defined and item.options.stale_refresh_time -}}
 {# special options options #}
-{{ ('auto-dnssec ' + option.auto_dnssec | string +';\n') if option.auto_dnssec is defined and option.auto_dnssec -}}
-{{ ('check-dup-records ' + option.check_dup_records | string +';\n') if option.check_dup_records is defined and option.check_dup_records -}}
-{{ ('check-mx ' + option.check_mx | string +';\n') if option.check_mx is defined and option.check_mx -}}
-{{ ('check-mx-cname ' + option.check_mx_cname | string +';\n') if option.check_mx_cname is defined and option.check_mx_cname -}}
-{{ ('check-spf ' + option.check_spf | string +';\n') if option.check_spf is defined and option.check_spf -}}
-{{ ('check-srv-cname ' + option.check_srv_cname | string +';\n') if option.check_srv_cname is defined and option.check_srv_cname -}}
-{{ ('cookie-algorithm ' + option.cookie_algorithm | string +';\n') if option.cookie_algorithm is defined and option.cookie_algorithm -}}
-{{ ('coresize ' + option.coresize | string +';\n') if option.coresize is defined and option.coresize -}}
-{{ ('datasize ' + option.datasize | string +';\n') if option.datasize is defined and option.datasize -}}
-{{ ('dnssec-update-mode ' + option.dnssec_update_mode | string +';\n') if option.dnssec_update_mode is defined and option.dnssec_update_mode -}}
-{{ ('dnssec-validation ' + option.dnssec_validation | string +';\n') if option.dnssec_validation is defined and option.dnssec_validation -}}
-{{ ('files ' + option.files | string +';\n') if option.files is defined and option.files -}}
-{{ ('forward ' + option.forward | string +';\n') if option.forward is defined and option.forward -}}
-{{ ('fstrm-set-output-queue-model ' + option.fstrm_set_output_queue_model | string +';\n') if option.fstrm_set_output_queue_model is defined and option.fstrm_set_output_queue_model -}}
-{{ ('masterfile-format ' + option.masterfile_format | string +';\n') if option.masterfile_format is defined and option.masterfile_format -}}
-{{ ('masterfile-style ' + option.masterfile_style | string +';\n') if option.masterfile_style is defined and option.masterfile_style -}}
-{{ ('max-cache-size ' + option.max_cache_size | string +';\n') if option.max_cache_size is defined and option.max_cache_size -}}
-{{ ('max-ixfr-ratio ' + option.max_ixfr_ratio | string +';\n') if option.max_ixfr_ratio is defined and option.max_ixfr_ratio -}}
-{{ ('max-journal-size ' + option.max_journal_size | string +';\n') if option.max_journal_size is defined and option.max_journal_size -}}
-{{ ('max-zone-ttl ' + option.max_zone_ttl | string +';\n') if option.max_zone_ttl is defined and option.max_zone_ttl -}}
-{{ ('qname-minimization ' + option.qname_minimization | string +';\n') if option.qname_minimization is defined and option.qname_minimization -}}
-{{ ('serial-update-method ' + option.serial_update_method | string +';\n') if option.serial_update_method is defined and option.serial_update_method -}}
-{{ ('stacksize ' + option.stacksize | string +';\n') if option.stacksize is defined and option.stacksize -}}
-{{ ('stale-answer-client-timeout ' + option.stale_answer_client_timeout | string +';\n') if option.stale_answer_client_timeout is defined and option.stale_answer_client_timeout -}}
-{{ ('transfer-format ' + option.transfer_format | string +';\n') if option.transfer_format is defined and option.transfer_format -}}
+{{ ('auto-dnssec ' + item.options.auto_dnssec | string +';\n') if item.options.auto_dnssec is defined and item.options.auto_dnssec -}}
+{{ ('check-dup-records ' + item.options.check_dup_records | string +';\n') if item.options.check_dup_records is defined and item.options.check_dup_records -}}
+{{ ('check-mx ' + item.options.check_mx | string +';\n') if item.options.check_mx is defined and item.options.check_mx -}}
+{{ ('check-mx-cname ' + item.options.check_mx_cname | string +';\n') if item.options.check_mx_cname is defined and item.options.check_mx_cname -}}
+{{ ('check-spf ' + item.options.check_spf | string +';\n') if item.options.check_spf is defined and item.options.check_spf -}}
+{{ ('check-srv-cname ' + item.options.check_srv_cname | string +';\n') if item.options.check_srv_cname is defined and item.options.check_srv_cname -}}
+{{ ('cookie-algorithm ' + item.options.cookie_algorithm | string +';\n') if item.options.cookie_algorithm is defined and item.options.cookie_algorithm -}}
+{{ ('coresize ' + item.options.coresize | string +';\n') if item.options.coresize is defined and item.options.coresize -}}
+{{ ('datasize ' + item.options.datasize | string +';\n') if item.options.datasize is defined and item.options.datasize -}}
+{{ ('dnssec-update-mode ' + item.options.dnssec_update_mode | string +';\n') if item.options.dnssec_update_mode is defined and item.options.dnssec_update_mode -}}
+{{ ('dnssec-validation ' + functions.boolean_or_string(item.options.dnssec_validation) +';\n') if item.options.dnssec_validation is defined -}}
+{{ ('files ' + item.options.files | string +';\n') if item.options.files is defined and item.options.files -}}
+{{ ('forward ' + item.options.forward | string +';\n') if item.options.forward is defined and item.options.forward -}}
+{{ ('fstrm-set-output-queue-model ' + item.options.fstrm_set_output_queue_model | string +';\n') if item.options.fstrm_set_output_queue_model is defined and item.options.fstrm_set_output_queue_model -}}
+{{ ('masterfile-format ' + item.options.masterfile_format | string +';\n') if item.options.masterfile_format is defined and item.options.masterfile_format -}}
+{{ ('masterfile-style ' + item.options.masterfile_style | string +';\n') if item.options.masterfile_style is defined and item.options.masterfile_style -}}
+{{ ('max-cache-size ' + item.options.max_cache_size | string +';\n') if item.options.max_cache_size is defined and item.options.max_cache_size -}}
+{{ ('max-ixfr-ratio ' + item.options.max_ixfr_ratio | string +';\n') if item.options.max_ixfr_ratio is defined and item.options.max_ixfr_ratio -}}
+{{ ('max-journal-size ' + item.options.max_journal_size | string +';\n') if item.options.max_journal_size is defined and item.options.max_journal_size -}}
+{{ ('max-zone-ttl ' + item.options.max_zone_ttl | string +';\n') if item.options.max_zone_ttl is defined and item.options.max_zone_ttl -}}
+{{ ('qname-minimization ' + item.options.qname_minimization | string +';\n') if item.options.qname_minimization is defined and item.options.qname_minimization -}}
+{{ ('serial-update-method ' + item.options.serial_update_method | string +';\n') if item.options.serial_update_method is defined and item.options.serial_update_method -}}
+{{ ('stacksize ' + item.options.stacksize | string +';\n') if item.options.stacksize is defined and item.options.stacksize -}}
+{{ ('stale-answer-client-timeout ' + item.options.stale_answer_client_timeout | string +';\n') if item.options.stale_answer_client_timeout is defined and item.options.stale_answer_client_timeout -}}
+{{ ('transfer-format ' + item.options.transfer_format | string +';\n') if item.options.transfer_format is defined and item.options.transfer_format -}}
 {# quoted_string options #}
-{{ ('bindkeys-file "' + option.bindkeys_file | string +'";\n') if option.bindkeys_file is defined and option.bindkeys_file -}}
-{{ ('directory "' + option.directory | string +'";\n') if option.directory is defined and option.directory -}}
-{{ ('dump-file "' + option.dump_file | string +'";\n') if option.dump_file is defined and option.dump_file -}}
-{{ ('key-directory "' + option.key_directory | string +'";\n') if option.key_directory is defined and option.key_directory -}}
-{{ ('managed-keys-directory "' + option.managed_keys_directory | string +'";\n') if option.managed_keys_directory is defined and option.managed_keys_directory -}}
-{{ ('memstatistics-file "' + option.memstatistics_file | string +'";\n') if option.memstatistics_file is defined and option.memstatistics_file -}}
-{{ ('new-zones-directory "' + option.new_zones_directory | string +'";\n') if option.new_zones_directory is defined and option.new_zones_directory -}}
-{{ ('recursing-file "' + option.recursing_file | string +'";\n') if option.recursing_file is defined and option.recursing_file -}}
-{{ ('secroots-file "' + option.secroots_file | string +'";\n') if option.secroots_file is defined and option.secroots_file -}}
-{{ ('statistics-file "' + option.statistics_file | string +'";\n') if option.statistics_file is defined and option.statistics_file -}}
-{{ ('tkey-domain "' + option.tkey_domain | string +'";\n') if option.tkey_domain is defined and option.tkey_domain -}}
-{{ ('tkey-gssapi-credential "' + option.tkey_gssapi_credential | string +'";\n') if option.tkey_gssapi_credential is defined and option.tkey_gssapi_credential -}}
-{{ ('tkey-gssapi-keytab "' + option.tkey_gssapi_keytab | string +'";\n') if option.tkey_gssapi_keytab is defined and option.tkey_gssapi_keytab -}}
+{{ ('bindkeys-file "' + item.options.bindkeys_file | string +'";\n') if item.options.bindkeys_file is defined and item.options.bindkeys_file -}}
+{{ ('directory "' + item.options.directory | string +'";\n') if item.options.directory is defined and item.options.directory -}}
+{{ ('dump-file "' + item.options.dump_file | string +'";\n') if item.options.dump_file is defined and item.options.dump_file -}}
+{{ ('key-directory "' + item.options.key_directory | string +'";\n') if item.options.key_directory is defined and item.options.key_directory -}}
+{{ ('managed-keys-directory "' + item.options.managed_keys_directory | string +'";\n') if item.options.managed_keys_directory is defined and item.options.managed_keys_directory -}}
+{{ ('memstatistics-file "' + item.options.memstatistics_file | string +'";\n') if item.options.memstatistics_file is defined and item.options.memstatistics_file -}}
+{{ ('new-zones-directory "' + item.options.new_zones_directory | string +'";\n') if item.options.new_zones_directory is defined and item.options.new_zones_directory -}}
+{{ ('recursing-file "' + item.options.recursing_file | string +'";\n') if item.options.recursing_file is defined and item.options.recursing_file -}}
+{{ ('secroots-file "' + item.options.secroots_file | string +'";\n') if item.options.secroots_file is defined and item.options.secroots_file -}}
+{{ ('statistics-file "' + item.options.statistics_file | string +'";\n') if item.options.statistics_file is defined and item.options.statistics_file -}}
+{{ ('tkey-domain "' + item.options.tkey_domain | string +'";\n') if item.options.tkey_domain is defined and item.options.tkey_domain -}}
+{{ ('tkey-gssapi-credential "' + item.options.tkey_gssapi_credential | string +'";\n') if item.options.tkey_gssapi_credential is defined and item.options.tkey_gssapi_credential -}}
+{{ ('tkey-gssapi-keytab "' + item.options.tkey_gssapi_keytab | string +'";\n') if item.options.tkey_gssapi_keytab is defined and item.options.tkey_gssapi_keytab -}}
 {# simple_item_list options #}
-{{ ('allow-notify {\n' + functions.simple_item_list(option.allow_notify) + '};\n') if option.allow_notify is defined and option.allow_notify -}}
-{{ ('allow-query {\n' + functions.simple_item_list(option.allow_query) + '};\n') if option.allow_query is defined and option.allow_query -}}
-{{ ('allow-query-cache {\n' + functions.simple_item_list(option.allow_query_cache) + '};\n') if option.allow_query_cache is defined and option.allow_query_cache -}}
-{{ ('allow-query-cache-on {\n' + functions.simple_item_list(option.allow_query_cache_on) + '};\n') if option.allow_query_cache_on is defined and option.allow_query_cache_on -}}
-{{ ('allow-query-on {\n' + functions.simple_item_list(option.allow_query_on) + '};\n') if option.allow_query_on is defined and option.allow_query_on -}}
-{{ ('allow-recursion {\n' + functions.simple_item_list(option.allow_recursion) + '};\n') if option.allow_recursion is defined and option.allow_recursion -}}
-{{ ('allow-recursion-on {\n' + functions.simple_item_list(option.allow_recursion_on) + '};\n') if option.allow_recursion_on is defined and option.allow_recursion_on -}}
-{{ ('allow-update {\n' + functions.simple_item_list(option.allow_update) + '};\n') if option.allow_update is defined and option.allow_update -}}
-{{ ('allow-update-forwarding {\n' + functions.simple_item_list(option.allow_update_forwarding) + '};\n') if option.allow_update_forwarding is defined and option.allow_update_forwarding -}}
-{{ ('blackhole {\n' + functions.simple_item_list(option.blackhole) + '};\n') if option.blackhole is defined and option.blackhole -}}
-{{ ('keep-response-order {\n' + functions.simple_item_list(option.keep_response_order) + '};\n') if option.keep_response_order is defined and option.keep_response_order -}}
-{{ ('no-case-compress {\n' + functions.simple_item_list(option.no_case_compress) + '};\n') if option.no_case_compress is defined and option.no_case_compress -}}
-{{ ('sortlist {\n' + functions.simple_item_list(option.sortlist) + '};\n') if option.sortlist is defined and option.sortlist -}}
+{{ ('allow-notify {\n' + functions.simple_item_list(item.options.allow_notify) + '};\n') if item.options.allow_notify is defined and item.options.allow_notify -}}
+{{ ('allow-query {\n' + functions.simple_item_list(item.options.allow_query) + '};\n') if item.options.allow_query is defined and item.options.allow_query -}}
+{{ ('allow-query-cache {\n' + functions.simple_item_list(item.options.allow_query_cache) + '};\n') if item.options.allow_query_cache is defined and item.options.allow_query_cache -}}
+{{ ('allow-query-cache-on {\n' + functions.simple_item_list(item.options.allow_query_cache_on) + '};\n') if item.options.allow_query_cache_on is defined and item.options.allow_query_cache_on -}}
+{{ ('allow-query-on {\n' + functions.simple_item_list(item.options.allow_query_on) + '};\n') if item.options.allow_query_on is defined and item.options.allow_query_on -}}
+{{ ('allow-recursion {\n' + functions.simple_item_list(item.options.allow_recursion) + '};\n') if item.options.allow_recursion is defined and item.options.allow_recursion -}}
+{{ ('allow-recursion-on {\n' + functions.simple_item_list(item.options.allow_recursion_on) + '};\n') if item.options.allow_recursion_on is defined and item.options.allow_recursion_on -}}
+{{ ('allow-update {\n' + functions.simple_item_list(item.options.allow_update) + '};\n') if item.options.allow_update is defined and item.options.allow_update -}}
+{{ ('allow-update-forwarding {\n' + functions.simple_item_list(item.options.allow_update_forwarding) + '};\n') if item.options.allow_update_forwarding is defined and item.options.allow_update_forwarding -}}
+{{ ('blackhole {\n' + functions.simple_item_list(item.options.blackhole) + '};\n') if item.options.blackhole is defined and item.options.blackhole -}}
+{{ ('keep-response-order {\n' + functions.simple_item_list(item.options.keep_response_order) + '};\n') if item.options.keep_response_order is defined and item.options.keep_response_order -}}
+{{ ('no-case-compress {\n' + functions.simple_item_list(item.options.no_case_compress) + '};\n') if item.options.no_case_compress is defined and item.options.no_case_compress -}}
+{{ ('sortlist {\n' + functions.simple_item_list(item.options.sortlist) + '};\n') if item.options.sortlist is defined and item.options.sortlist -}}
 {# String options #}
-{{ ('attach-cache ' + option.attach_cache | string +';\n') if option.attach_cache is defined and option.attach_cache -}}
-{{ ('cookie-secret ' + option.cookie_secret | string +';\n') if option.cookie_secret is defined and option.cookie_secret -}}
-{{ ('disable-empty-zone ' + option.disable_empty_zone | string +';\n') if option.disable_empty_zone is defined and option.disable_empty_zone -}}
-{{ ('dns64-contact ' + option.dns64_contact | string +';\n') if option.dns64_contact is defined and option.dns64_contact -}}
-{{ ('dns64-server ' + option.dns64_server | string +';\n') if option.dns64_server is defined and option.dns64_server -}}
-{{ ('dnssec-policy ' + option.dnssec_policy | string +';\n') if option.dnssec_policy is defined and option.dnssec_policy -}}
-{{ ('empty-contact ' + option.empty_contact | string +';\n') if option.empty_contact is defined and option.empty_contact -}}
-{{ ('empty-server ' + option.empty_server | string +';\n') if option.empty_server is defined and option.empty_server -}}
-{{ ('ipv4only-contact ' + option.ipv4only_contact | string +';\n') if option.ipv4only_contact is defined and option.ipv4only_contact -}}
-{{ ('ipv4only-server ' + option.ipv4only_server | string +';\n') if option.ipv4only_server is defined and option.ipv4only_server -}}
-{{ ('nxdomain-redirect ' + option.nxdomain_redirect | string +';\n') if option.nxdomain_redirect is defined and option.nxdomain_redirect -}}
-{{ ('preferred-glue ' + option.preferred_glue | string +';\n') if option.preferred_glue is defined and option.preferred_glue -}}
-{{ ('session-keyalg ' + option.session_keyalg | string +';\n') if option.session_keyalg is defined and option.session_keyalg -}}
-{{ ('session-keyname ' + option.session_keyname | string +';\n') if option.session_keyname is defined and option.session_keyname -}}
+{{ ('attach-cache ' + item.options.attach_cache | string +';\n') if item.options.attach_cache is defined and item.options.attach_cache -}}
+{{ ('cookie-secret ' + item.options.cookie_secret | string +';\n') if item.options.cookie_secret is defined and item.options.cookie_secret -}}
+{{ ('disable-empty-zone ' + item.options.disable_empty_zone | string +';\n') if item.options.disable_empty_zone is defined and item.options.disable_empty_zone -}}
+{{ ('dns64-contact ' + item.options.dns64_contact | string +';\n') if item.options.dns64_contact is defined and item.options.dns64_contact -}}
+{{ ('dns64-server ' + item.options.dns64_server | string +';\n') if item.options.dns64_server is defined and item.options.dns64_server -}}
+{{ ('dnssec-policy ' + item.options.dnssec_policy | string +';\n') if item.options.dnssec_policy is defined and item.options.dnssec_policy -}}
+{{ ('empty-contact ' + item.options.empty_contact | string +';\n') if item.options.empty_contact is defined and item.options.empty_contact -}}
+{{ ('empty-server ' + item.options.empty_server | string +';\n') if item.options.empty_server is defined and item.options.empty_server -}}
+{{ ('ipv4only-contact ' + item.options.ipv4only_contact | string +';\n') if item.options.ipv4only_contact is defined and item.options.ipv4only_contact -}}
+{{ ('ipv4only-server ' + item.options.ipv4only_server | string +';\n') if item.options.ipv4only_server is defined and item.options.ipv4only_server -}}
+{{ ('nxdomain-redirect ' + item.options.nxdomain_redirect | string +';\n') if item.options.nxdomain_redirect is defined and item.options.nxdomain_redirect -}}
+{{ ('preferred-glue ' + item.options.preferred_glue | string +';\n') if item.options.preferred_glue is defined and item.options.preferred_glue -}}
+{{ ('session-keyalg ' + item.options.session_keyalg | string +';\n') if item.options.session_keyalg is defined and item.options.session_keyalg -}}
+{{ ('session-keyname ' + item.options.session_keyname | string +';\n') if item.options.session_keyname is defined and item.options.session_keyname -}}
 {# Integer options #}
-{{ ('clients-per-query ' + option.clients_per_query | string +';\n') if option.clients_per_query is defined and option.clients_per_query -}}
-{{ ('dnskey-sig-validity ' + option.dnskey_sig_validity | string +';\n') if option.dnskey_sig_validity is defined and option.dnskey_sig_validity -}}
-{{ ('dnssec-loadkeys-interval ' + option.dnssec_loadkeys_interval | string +';\n') if option.dnssec_loadkeys_interval is defined and option.dnssec_loadkeys_interval -}}
-{{ ('dscp ' + option.dscp | string +';\n') if option.dscp is defined and option.dscp -}}
-{{ ('edns-udp-size ' + option.edns_udp_size | string +';\n') if option.edns_udp_size is defined and option.edns_udp_size -}}
-{{ ('fstrm-set-buffer-hint ' + option.fstrm_set_buffer_hint | string +';\n') if option.fstrm_set_buffer_hint is defined and option.fstrm_set_buffer_hint -}}
-{{ ('fstrm-set-flush-timeout ' + option.fstrm_set_flush_timeout | string +';\n') if option.fstrm_set_flush_timeout is defined and option.fstrm_set_flush_timeout -}}
-{{ ('fstrm-set-input-queue-size ' + option.fstrm_set_input_queue_size | string +';\n') if option.fstrm_set_input_queue_size is defined and option.fstrm_set_input_queue_size -}}
-{{ ('fstrm-set-output-notify-threshold ' + option.fstrm_set_output_notify_threshold | string +';\n') if option.fstrm_set_output_notify_threshold is defined and option.fstrm_set_output_notify_threshold -}}
-{{ ('fstrm-set-output-queue-size ' + option.fstrm_set_output_queue_size | string +';\n') if option.fstrm_set_output_queue_size is defined and option.fstrm_set_output_queue_size -}}
-{{ ('heartbeat-interval ' + option.heartbeat_interval | string +';\n') if option.heartbeat_interval is defined and option.heartbeat_interval -}}
-{{ ('http-listener-clients ' + option.http_listener_clients | string +';\n') if option.http_listener_clients is defined and option.http_listener_clients -}}
-{{ ('http-port ' + option.http_port | string +';\n') if option.http_port is defined and option.http_port -}}
-{{ ('http-streams-per-connection ' + option.http_streams_per_connection | string +';\n') if option.http_streams_per_connection is defined and option.http_streams_per_connection -}}
-{{ ('https-port ' + option.https_port | string +';\n') if option.https_port is defined and option.https_port -}}
-{{ ('max-clients-per-query ' + option.max_clients_per_query | string +';\n') if option.max_clients_per_query is defined and option.max_clients_per_query -}}
-{{ ('max-records ' + option.max_records | string +';\n') if option.max_records is defined and option.max_records -}}
-{{ ('max-recursion-depth ' + option.max_recursion_depth | string +';\n') if option.max_recursion_depth is defined and option.max_recursion_depth -}}
-{{ ('max-recursion-queries ' + option.max_recursion_queries | string +';\n') if option.max_recursion_queries is defined and option.max_recursion_queries -}}
-{{ ('max-refresh-time ' + option.max_refresh_time | string +';\n') if option.max_refresh_time is defined and option.max_refresh_time -}}
-{{ ('max-retry-time ' + option.max_retry_time | string +';\n') if option.max_retry_time is defined and option.max_retry_time -}}
-{{ ('max-rsa-exponent-size ' + option.max_rsa_exponent_size | string +';\n') if option.max_rsa_exponent_size is defined and option.max_rsa_exponent_size -}}
-{{ ('max-transfer-idle-in ' + option.max_transfer_idle_in | string +';\n') if option.max_transfer_idle_in is defined and option.max_transfer_idle_in -}}
-{{ ('max-transfer-idle-out ' + option.max_transfer_idle_out | string +';\n') if option.max_transfer_idle_out is defined and option.max_transfer_idle_out -}}
-{{ ('max-transfer-time-in ' + option.max_transfer_time_in | string +';\n') if option.max_transfer_time_in is defined and option.max_transfer_time_in -}}
-{{ ('max-transfer-time-out ' + option.max_transfer_time_out | string +';\n') if option.max_transfer_time_out is defined and option.max_transfer_time_out -}}
-{{ ('max-udp-size ' + option.max_udp_size | string +';\n') if option.max_udp_size is defined and option.max_udp_size -}}
-{{ ('min-refresh-time ' + option.min_refresh_time | string +';\n') if option.min_refresh_time is defined and option.min_refresh_time -}}
-{{ ('min-retry-time ' + option.min_retry_time | string +';\n') if option.min_retry_time is defined and option.min_retry_time -}}
-{{ ('nocookie-udp-size ' + option.nocookie_udp_size | string +';\n') if option.nocookie_udp_size is defined and option.nocookie_udp_size -}}
-{{ ('notify-delay ' + option.notify_delay | string +';\n') if option.notify_delay is defined and option.notify_delay -}}
-{{ ('notify-rate ' + option.notify_rate | string +';\n') if option.notify_rate is defined and option.notify_rate -}}
-{{ ('port ' + option.port | string +';\n') if option.port is defined and option.port -}}
-{{ ('recursive-clients ' + option.recursive_clients | string +';\n') if option.recursive_clients is defined and option.recursive_clients -}}
-{{ ('resolver-nonbackoff-tries ' + option.resolver_nonbackoff_tries | string +';\n') if option.resolver_nonbackoff_tries is defined and option.resolver_nonbackoff_tries -}}
-{{ ('resolver-query-timeout ' + option.resolver_query_timeout | string +';\n') if option.resolver_query_timeout is defined and option.resolver_query_timeout -}}
-{{ ('resolver-retry-interval ' + option.resolver_retry_interval | string +';\n') if option.resolver_retry_interval is defined and option.resolver_retry_interval -}}
-{{ ('serial-query-rate ' + option.serial_query_rate | string +';\n') if option.serial_query_rate is defined and option.serial_query_rate -}}
-{{ ('sig-signing-nodes ' + option.sig_signing_nodes | string +';\n') if option.sig_signing_nodes is defined and option.sig_signing_nodes -}}
-{{ ('sig-signing-signatures ' + option.sig_signing_signatures | string +';\n') if option.sig_signing_signatures is defined and option.sig_signing_signatures -}}
-{{ ('sig-signing-type ' + option.sig_signing_type | string +';\n') if option.sig_signing_type is defined and option.sig_signing_type -}}
-{{ ('startup-notify-rate ' + option.startup_notify_rate | string +';\n') if option.startup_notify_rate is defined and option.startup_notify_rate -}}
-{{ ('tcp-advertised-timeout ' + option.tcp_advertised_timeout | string +';\n') if option.tcp_advertised_timeout is defined and option.tcp_advertised_timeout -}}
-{{ ('tcp-clients ' + option.tcp_clients | string +';\n') if option.tcp_clients is defined and option.tcp_clients -}}
-{{ ('tcp-idle-timeout ' + option.tcp_idle_timeout | string +';\n') if option.tcp_idle_timeout is defined and option.tcp_idle_timeout -}}
-{{ ('tcp-initial-timeout ' + option.tcp_initial_timeout | string +';\n') if option.tcp_initial_timeout is defined and option.tcp_initial_timeout -}}
-{{ ('tcp-keepalive-timeout ' + option.tcp_keepalive_timeout | string +';\n') if option.tcp_keepalive_timeout is defined and option.tcp_keepalive_timeout -}}
-{{ ('tcp-listen-queue ' + option.tcp_listen_queue | string +';\n') if option.tcp_listen_queue is defined and option.tcp_listen_queue -}}
-{{ ('tcp-receive-buffer ' + option.tcp_receive_buffer | string +';\n') if option.tcp_receive_buffer is defined and option.tcp_receive_buffer -}}
-{{ ('tcp-send-buffer ' + option.tcp_send_buffer | string +';\n') if option.tcp_send_buffer is defined and option.tcp_send_buffer -}}
-{{ ('tls-port ' + option.tls_port | string +';\n') if option.tls_port is defined and option.tls_port -}}
-{{ ('transfer-message-size ' + option.transfer_message_size | string +';\n') if option.transfer_message_size is defined and option.transfer_message_size -}}
-{{ ('transfers-in ' + option.transfers_in | string +';\n') if option.transfers_in is defined and option.transfers_in -}}
-{{ ('transfers-out ' + option.transfers_out | string +';\n') if option.transfers_out is defined and option.transfers_out -}}
-{{ ('transfers-per-ns ' + option.transfers_per_ns | string +';\n') if option.transfers_per_ns is defined and option.transfers_per_ns -}}
-{{ ('udp-receive-buffer ' + option.udp_receive_buffer | string +';\n') if option.udp_receive_buffer is defined and option.udp_receive_buffer -}}
-{{ ('udp-send-buffer ' + option.udp_send_buffer | string +';\n') if option.udp_send_buffer is defined and option.udp_send_buffer -}}
-{{ ('v6-bias ' + option.v6_bias | string +';\n') if option.v6_bias is defined and option.v6_bias -}}
+{{ ('clients-per-query ' + item.options.clients_per_query | string +';\n') if item.options.clients_per_query is defined and item.options.clients_per_query -}}
+{{ ('dnskey-sig-validity ' + item.options.dnskey_sig_validity | string +';\n') if item.options.dnskey_sig_validity is defined and item.options.dnskey_sig_validity -}}
+{{ ('dnssec-loadkeys-interval ' + item.options.dnssec_loadkeys_interval | string +';\n') if item.options.dnssec_loadkeys_interval is defined and item.options.dnssec_loadkeys_interval -}}
+{{ ('dscp ' + item.options.dscp | string +';\n') if item.options.dscp is defined and item.options.dscp -}}
+{{ ('edns-udp-size ' + item.options.edns_udp_size | string +';\n') if item.options.edns_udp_size is defined and item.options.edns_udp_size -}}
+{{ ('fstrm-set-buffer-hint ' + item.options.fstrm_set_buffer_hint | string +';\n') if item.options.fstrm_set_buffer_hint is defined and item.options.fstrm_set_buffer_hint -}}
+{{ ('fstrm-set-flush-timeout ' + item.options.fstrm_set_flush_timeout | string +';\n') if item.options.fstrm_set_flush_timeout is defined and item.options.fstrm_set_flush_timeout -}}
+{{ ('fstrm-set-input-queue-size ' + item.options.fstrm_set_input_queue_size | string +';\n') if item.options.fstrm_set_input_queue_size is defined and item.options.fstrm_set_input_queue_size -}}
+{{ ('fstrm-set-output-notify-threshold ' + item.options.fstrm_set_output_notify_threshold | string +';\n') if item.options.fstrm_set_output_notify_threshold is defined and item.options.fstrm_set_output_notify_threshold -}}
+{{ ('fstrm-set-output-queue-size ' + item.options.fstrm_set_output_queue_size | string +';\n') if item.options.fstrm_set_output_queue_size is defined and item.options.fstrm_set_output_queue_size -}}
+{{ ('heartbeat-interval ' + item.options.heartbeat_interval | string +';\n') if item.options.heartbeat_interval is defined and item.options.heartbeat_interval -}}
+{{ ('http-listener-clients ' + item.options.http_listener_clients | string +';\n') if item.options.http_listener_clients is defined and item.options.http_listener_clients -}}
+{{ ('http-port ' + item.options.http_port | string +';\n') if item.options.http_port is defined and item.options.http_port -}}
+{{ ('http-streams-per-connection ' + item.options.http_streams_per_connection | string +';\n') if item.options.http_streams_per_connection is defined and item.options.http_streams_per_connection -}}
+{{ ('https-port ' + item.options.https_port | string +';\n') if item.options.https_port is defined and item.options.https_port -}}
+{{ ('max-clients-per-query ' + item.options.max_clients_per_query | string +';\n') if item.options.max_clients_per_query is defined and item.options.max_clients_per_query -}}
+{{ ('max-records ' + item.options.max_records | string +';\n') if item.options.max_records is defined and item.options.max_records -}}
+{{ ('max-recursion-depth ' + item.options.max_recursion_depth | string +';\n') if item.options.max_recursion_depth is defined and item.options.max_recursion_depth -}}
+{{ ('max-recursion-queries ' + item.options.max_recursion_queries | string +';\n') if item.options.max_recursion_queries is defined and item.options.max_recursion_queries -}}
+{{ ('max-refresh-time ' + item.options.max_refresh_time | string +';\n') if item.options.max_refresh_time is defined and item.options.max_refresh_time -}}
+{{ ('max-retry-time ' + item.options.max_retry_time | string +';\n') if item.options.max_retry_time is defined and item.options.max_retry_time -}}
+{{ ('max-rsa-exponent-size ' + item.options.max_rsa_exponent_size | string +';\n') if item.options.max_rsa_exponent_size is defined and item.options.max_rsa_exponent_size -}}
+{{ ('max-transfer-idle-in ' + item.options.max_transfer_idle_in | string +';\n') if item.options.max_transfer_idle_in is defined and item.options.max_transfer_idle_in -}}
+{{ ('max-transfer-idle-out ' + item.options.max_transfer_idle_out | string +';\n') if item.options.max_transfer_idle_out is defined and item.options.max_transfer_idle_out -}}
+{{ ('max-transfer-time-in ' + item.options.max_transfer_time_in | string +';\n') if item.options.max_transfer_time_in is defined and item.options.max_transfer_time_in -}}
+{{ ('max-transfer-time-out ' + item.options.max_transfer_time_out | string +';\n') if item.options.max_transfer_time_out is defined and item.options.max_transfer_time_out -}}
+{{ ('max-udp-size ' + item.options.max_udp_size | string +';\n') if item.options.max_udp_size is defined and item.options.max_udp_size -}}
+{{ ('min-refresh-time ' + item.options.min_refresh_time | string +';\n') if item.options.min_refresh_time is defined and item.options.min_refresh_time -}}
+{{ ('min-retry-time ' + item.options.min_retry_time | string +';\n') if item.options.min_retry_time is defined and item.options.min_retry_time -}}
+{{ ('nocookie-udp-size ' + item.options.nocookie_udp_size | string +';\n') if item.options.nocookie_udp_size is defined and item.options.nocookie_udp_size -}}
+{{ ('notify-delay ' + item.options.notify_delay | string +';\n') if item.options.notify_delay is defined and item.options.notify_delay -}}
+{{ ('notify-rate ' + item.options.notify_rate | string +';\n') if item.options.notify_rate is defined and item.options.notify_rate -}}
+{{ ('port ' + item.options.port | string +';\n') if item.options.port is defined and item.options.port -}}
+{{ ('recursive-clients ' + item.options.recursive_clients | string +';\n') if item.options.recursive_clients is defined and item.options.recursive_clients -}}
+{{ ('resolver-nonbackoff-tries ' + item.options.resolver_nonbackoff_tries | string +';\n') if item.options.resolver_nonbackoff_tries is defined and item.options.resolver_nonbackoff_tries -}}
+{{ ('resolver-query-timeout ' + item.options.resolver_query_timeout | string +';\n') if item.options.resolver_query_timeout is defined and item.options.resolver_query_timeout -}}
+{{ ('resolver-retry-interval ' + item.options.resolver_retry_interval | string +';\n') if item.options.resolver_retry_interval is defined and item.options.resolver_retry_interval -}}
+{{ ('serial-query-rate ' + item.options.serial_query_rate | string +';\n') if item.options.serial_query_rate is defined and item.options.serial_query_rate -}}
+{{ ('sig-signing-nodes ' + item.options.sig_signing_nodes | string +';\n') if item.options.sig_signing_nodes is defined and item.options.sig_signing_nodes -}}
+{{ ('sig-signing-signatures ' + item.options.sig_signing_signatures | string +';\n') if item.options.sig_signing_signatures is defined and item.options.sig_signing_signatures -}}
+{{ ('sig-signing-type ' + item.options.sig_signing_type | string +';\n') if item.options.sig_signing_type is defined and item.options.sig_signing_type -}}
+{{ ('startup-notify-rate ' + item.options.startup_notify_rate | string +';\n') if item.options.startup_notify_rate is defined and item.options.startup_notify_rate -}}
+{{ ('tcp-advertised-timeout ' + item.options.tcp_advertised_timeout | string +';\n') if item.options.tcp_advertised_timeout is defined and item.options.tcp_advertised_timeout -}}
+{{ ('tcp-clients ' + item.options.tcp_clients | string +';\n') if item.options.tcp_clients is defined and item.options.tcp_clients -}}
+{{ ('tcp-idle-timeout ' + item.options.tcp_idle_timeout | string +';\n') if item.options.tcp_idle_timeout is defined and item.options.tcp_idle_timeout -}}
+{{ ('tcp-initial-timeout ' + item.options.tcp_initial_timeout | string +';\n') if item.options.tcp_initial_timeout is defined and item.options.tcp_initial_timeout -}}
+{{ ('tcp-keepalive-timeout ' + item.options.tcp_keepalive_timeout | string +';\n') if item.options.tcp_keepalive_timeout is defined and item.options.tcp_keepalive_timeout -}}
+{{ ('tcp-listen-queue ' + item.options.tcp_listen_queue | string +';\n') if item.options.tcp_listen_queue is defined and item.options.tcp_listen_queue -}}
+{{ ('tcp-receive-buffer ' + item.options.tcp_receive_buffer | string +';\n') if item.options.tcp_receive_buffer is defined and item.options.tcp_receive_buffer -}}
+{{ ('tcp-send-buffer ' + item.options.tcp_send_buffer | string +';\n') if item.options.tcp_send_buffer is defined and item.options.tcp_send_buffer -}}
+{{ ('tls-port ' + item.options.tls_port | string +';\n') if item.options.tls_port is defined and item.options.tls_port -}}
+{{ ('transfer-message-size ' + item.options.transfer_message_size | string +';\n') if item.options.transfer_message_size is defined and item.options.transfer_message_size -}}
+{{ ('transfers-in ' + item.options.transfers_in | string +';\n') if item.options.transfers_in is defined and item.options.transfers_in -}}
+{{ ('transfers-out ' + item.options.transfers_out | string +';\n') if item.options.transfers_out is defined and item.options.transfers_out -}}
+{{ ('transfers-per-ns ' + item.options.transfers_per_ns | string +';\n') if item.options.transfers_per_ns is defined and item.options.transfers_per_ns -}}
+{{ ('udp-receive-buffer ' + item.options.udp_receive_buffer | string +';\n') if item.options.udp_receive_buffer is defined and item.options.udp_receive_buffer -}}
+{{ ('udp-send-buffer ' + item.options.udp_send_buffer | string +';\n') if item.options.udp_send_buffer is defined and item.options.udp_send_buffer -}}
+{{ ('v6-bias ' + item.options.v6_bias | string +';\n') if item.options.v6_bias is defined and item.options.v6_bias -}}
 {# Boolean options #}
-{{ (functions.boolean_option('allow-new-zones', option.allow_new_zones) + '\n') if option.allow_new_zones is defined -}}
-{{ (functions.boolean_option('answer-cookie', option.answer_cookie) + '\n') if option.answer_cookie is defined -}}
-{{ (functions.boolean_option('auth-nxdomain', option.auth_nxdomain) + '\n') if option.auth_nxdomain is defined -}}
-{{ (functions.boolean_option('automatic-interface-scan', option.automatic_interface_scan) + '\n') if option.automatic_interface_scan is defined -}}
-{{ (functions.boolean_option('check-integrity', option.check_integrity) + '\n') if option.check_integrity is defined -}}
-{{ (functions.boolean_option('check-sibling', option.check_sibling) + '\n') if option.check_sibling is defined -}}
-{{ (functions.boolean_option('check-wildcard', option.check_wildcard) + '\n') if option.check_wildcard is defined -}}
-{{ (functions.boolean_option('dnsrps-enable', option.dnsrps_enable) + '\n') if option.dnsrps_enable is defined -}}
-{{ (functions.boolean_option('dnssec-accept-expired', option.dnssec_accept_expired) + '\n') if option.dnssec_accept_expired is defined -}}
-{{ (functions.boolean_option('dnssec-dnskey-kskonly', option.dnssec_dnskey_kskonly) + '\n') if option.dnssec_dnskey_kskonly is defined -}}
-{{ (functions.boolean_option('dnssec-secure-to-insecure', option.dnssec_secure_to_insecure) + '\n') if option.dnssec_secure_to_insecure is defined -}}
-{{ (functions.boolean_option('empty-zones-enable', option.empty_zones_enable) + '\n') if option.empty_zones_enable is defined -}}
-{{ (functions.boolean_option('flush-zones-on-shutdown', option.flush_zones_on_shutdown) + '\n') if option.flush_zones_on_shutdown is defined -}}
-{{ (functions.boolean_option('glue-cache', option.glue_cache) + '\n') if option.glue_cache is defined -}}
-{{ (functions.boolean_option('ipv4only-enable', option.ipv4only_enable) + '\n') if option.ipv4only_enable is defined -}}
-{{ (functions.boolean_option('match-mapped-addresses', option.match_mapped_addresses) + '\n') if option.match_mapped_addresses is defined -}}
-{{ (functions.boolean_option('memstatistics', option.memstatistics) + '\n') if option.memstatistics is defined -}}
-{{ (functions.boolean_option('message-compression', option.message_compression) + '\n') if option.message_compression is defined -}}
-{{ (functions.boolean_option('minimal-any', option.minimal_any) + '\n') if option.minimal_any is defined -}}
-{{ (functions.boolean_option('multi-master', option.multi_master) + '\n') if option.multi_master is defined -}}
-{{ (functions.boolean_option('notify-to-soa', option.notify_to_soa) + '\n') if option.notify_to_soa is defined -}}
-{{ (functions.boolean_option('provide-ixfr', option.provide_ixfr) + '\n') if option.provide_ixfr is defined -}}
-{{ (functions.boolean_option('querylog', option.querylog) + '\n') if option.querylog is defined -}}
-{{ (functions.boolean_option('recursion', option.recursion) + '\n') if option.recursion is defined -}}
-{{ (functions.boolean_option('request-expire', option.request_expire) + '\n') if option.request_expire is defined -}}
-{{ (functions.boolean_option('request-ixfr', option.request_ixfr) + '\n') if option.request_ixfr is defined -}}
-{{ (functions.boolean_option('request-nsid', option.request_nsid) + '\n') if option.request_nsid is defined -}}
-{{ (functions.boolean_option('require-server-cookie', option.require_server_cookie) + '\n') if option.require_server_cookie is defined -}}
-{{ (functions.boolean_option('reuseport', option.reuseport) + '\n') if option.reuseport is defined -}}
-{{ (functions.boolean_option('root-key-sentinel', option.root_key_sentinel) + '\n') if option.root_key_sentinel is defined -}}
-{{ (functions.boolean_option('send-cookie', option.send_cookie) + '\n') if option.send_cookie is defined -}}
-{{ (functions.boolean_option('stale-answer-enable', option.stale_answer_enable) + '\n') if option.stale_answer_enable is defined -}}
-{{ (functions.boolean_option('stale-cache-enable', option.stale_cache_enable) + '\n') if option.stale_cache_enable is defined -}}
-{{ (functions.boolean_option('synth-from-dnssec', option.synth_from_dnssec) + '\n') if option.synth_from_dnssec is defined -}}
-{{ (functions.boolean_option('trust-anchor-telemetry', option.trust_anchor_telemetry) + '\n') if option.trust_anchor_telemetry is defined -}}
-{{ (functions.boolean_option('try-tcp-refresh', option.try_tcp_refresh) + '\n') if option.try_tcp_refresh is defined -}}
-{{ (functions.boolean_option('update-check-ksk', option.update_check_ksk) + '\n') if option.update_check_ksk is defined -}}
-{{ (functions.boolean_option('use-alt-transfer-source', option.use_alt_transfer_source) + '\n') if option.use_alt_transfer_source is defined -}}
-{{ (functions.boolean_option('zero-no-soa-ttl', option.zero_no_soa_ttl) + '\n') if option.zero_no_soa_ttl is defined -}}
-{{ (functions.boolean_option('zero-no-soa-ttl-cache', option.zero_no_soa_ttl_cache) + '\n') if option.zero_no_soa_ttl_cache is defined -}}
-{% endmacro %}
+{{ (functions.boolean_option('allow-new-zones', item.options.allow_new_zones) + '\n') if item.options.allow_new_zones is defined -}}
+{{ (functions.boolean_option('answer-cookie', item.options.answer_cookie) + '\n') if item.options.answer_cookie is defined -}}
+{{ (functions.boolean_option('auth-nxdomain', item.options.auth_nxdomain) + '\n') if item.options.auth_nxdomain is defined -}}
+{{ (functions.boolean_option('automatic-interface-scan', item.options.automatic_interface_scan) + '\n') if item.options.automatic_interface_scan is defined -}}
+{{ (functions.boolean_option('check-integrity', item.options.check_integrity) + '\n') if item.options.check_integrity is defined -}}
+{{ (functions.boolean_option('check-sibling', item.options.check_sibling) + '\n') if item.options.check_sibling is defined -}}
+{{ (functions.boolean_option('check-wildcard', item.options.check_wildcard) + '\n') if item.options.check_wildcard is defined -}}
+{{ (functions.boolean_option('dnsrps-enable', item.options.dnsrps_enable) + '\n') if item.options.dnsrps_enable is defined -}}
+{{ (functions.boolean_option('dnssec-accept-expired', item.options.dnssec_accept_expired) + '\n') if item.options.dnssec_accept_expired is defined -}}
+{{ (functions.boolean_option('dnssec-dnskey-kskonly', item.options.dnssec_dnskey_kskonly) + '\n') if item.options.dnssec_dnskey_kskonly is defined -}}
+{{ (functions.boolean_option('dnssec-secure-to-insecure', item.options.dnssec_secure_to_insecure) + '\n') if item.options.dnssec_secure_to_insecure is defined -}}
+{{ (functions.boolean_option('empty-zones-enable', item.options.empty_zones_enable) + '\n') if item.options.empty_zones_enable is defined -}}
+{{ (functions.boolean_option('flush-zones-on-shutdown', item.options.flush_zones_on_shutdown) + '\n') if item.options.flush_zones_on_shutdown is defined -}}
+{{ (functions.boolean_option('glue-cache', item.options.glue_cache) + '\n') if item.options.glue_cache is defined -}}
+{{ (functions.boolean_option('ipv4only-enable', item.options.ipv4only_enable) + '\n') if item.options.ipv4only_enable is defined -}}
+{{ (functions.boolean_option('match-mapped-addresses', item.options.match_mapped_addresses) + '\n') if item.options.match_mapped_addresses is defined -}}
+{{ (functions.boolean_option('memstatistics', item.options.memstatistics) + '\n') if item.options.memstatistics is defined -}}
+{{ (functions.boolean_option('message-compression', item.options.message_compression) + '\n') if item.options.message_compression is defined -}}
+{{ (functions.boolean_option('minimal-any', item.options.minimal_any) + '\n') if item.options.minimal_any is defined -}}
+{{ (functions.boolean_option('multi-master', item.options.multi_master) + '\n') if item.options.multi_master is defined -}}
+{{ (functions.boolean_option('notify-to-soa', item.options.notify_to_soa) + '\n') if item.options.notify_to_soa is defined -}}
+{{ (functions.boolean_option('provide-ixfr', item.options.provide_ixfr) + '\n') if item.options.provide_ixfr is defined -}}
+{{ (functions.boolean_option('querylog', item.options.querylog) + '\n') if item.options.querylog is defined -}}
+{{ (functions.boolean_option('recursion', item.options.recursion) + '\n') if item.options.recursion is defined -}}
+{{ (functions.boolean_option('request-expire', item.options.request_expire) + '\n') if item.options.request_expire is defined -}}
+{{ (functions.boolean_option('request-ixfr', item.options.request_ixfr) + '\n') if item.options.request_ixfr is defined -}}
+{{ (functions.boolean_option('request-nsid', item.options.request_nsid) + '\n') if item.options.request_nsid is defined -}}
+{{ (functions.boolean_option('require-server-cookie', item.options.require_server_cookie) + '\n') if item.options.require_server_cookie is defined -}}
+{{ (functions.boolean_option('reuseport', item.options.reuseport) + '\n') if item.options.reuseport is defined -}}
+{{ (functions.boolean_option('root-key-sentinel', item.options.root_key_sentinel) + '\n') if item.options.root_key_sentinel is defined -}}
+{{ (functions.boolean_option('send-cookie', item.options.send_cookie) + '\n') if item.options.send_cookie is defined -}}
+{{ (functions.boolean_option('stale-answer-enable', item.options.stale_answer_enable) + '\n') if item.options.stale_answer_enable is defined -}}
+{{ (functions.boolean_option('stale-cache-enable', item.options.stale_cache_enable) + '\n') if item.options.stale_cache_enable is defined -}}
+{{ (functions.boolean_option('synth-from-dnssec', item.options.synth_from_dnssec) + '\n') if item.options.synth_from_dnssec is defined -}}
+{{ (functions.boolean_option('trust-anchor-telemetry', item.options.trust_anchor_telemetry) + '\n') if item.options.trust_anchor_telemetry is defined -}}
+{{ (functions.boolean_option('try-tcp-refresh', item.options.try_tcp_refresh) + '\n') if item.options.try_tcp_refresh is defined -}}
+{{ (functions.boolean_option('update-check-ksk', item.options.update_check_ksk) + '\n') if item.options.update_check_ksk is defined -}}
+{{ (functions.boolean_option('use-alt-transfer-source', item.options.use_alt_transfer_source) + '\n') if item.options.use_alt_transfer_source is defined -}}
+{{ (functions.boolean_option('zero-no-soa-ttl', item.options.zero_no_soa_ttl) + '\n') if item.options.zero_no_soa_ttl is defined -}}
+{{ (functions.boolean_option('zero-no-soa-ttl-cache', item.options.zero_no_soa_ttl_cache) + '\n') if item.options.zero_no_soa_ttl_cache is defined -}}
+{% endfilter %}
+};
+

templates/named.conf.parental-agents.j2

@@ -1,10 +1,8 @@
-{% macro parental_agents(parental_agents) %}
-{% for agent in parental_agents if parental_agents is iterable %}
+{% for agent in item.parental_agents if item.parental_agents is iterable %}
+
 parental-agents {{ agent.name -}}
 {{ (' port ' + agent.port | string) if agent.port is defined and agent.port -}}
 {{ (' dscp ' + agent.dscp | string) if agent.dscp is defined and agent.dscp }} {
-{% filter indent(2, true) %}
-{{ functions.list_address_port_key_tls(agent.addresses) -}}
-{% endfilter %}};
+{{ functions.list_address_port_key_tls(agent.addresses) -}}};
+
 {% endfor %}
-{% endmacro %}

templates/named.conf.primaries.j2

@@ -1,8 +1,7 @@
-{% macro primaries(primaries) %}
-{% for primary in primaries if primaries is iterable %}
+{% for primary in item.primaries if item.primaries is iterable %}
+
 primaries {{ primary.name -}}
 {{ (' port ' + primary.port | string) if primary.port is defined and primary.port -}}
 {{ (' dscp ' + primary.dscp | string) if primary.dscp is defined and primary.dscp }} {
 {{ functions.list_address_port_key_tls(primary.addresses) -}}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.server.j2

@@ -1,7 +1,7 @@
-{% macro server(servers) %}
-{% for server in servers if servers is iterable %}
+{% for server in item.server if item.server is iterable %}
+
 server {{ server.prefix }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% if server.transfer_source is defined and server.transfer_source is mapping %}
 transfer-source {{ server.transfer_source.address -}}
 {{- (' port ' + server.transfer_source.port | string) if server.transfer_source.port is defined and server.transfer_source.port -}}
@@ -54,4 +54,3 @@ query-source
 {{ (functions.boolean_option('send-cookie', server.send_cookie) + '\n') if server.send_cookie is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.statistics-channels.j2

@@ -1,10 +1,9 @@
-{% macro statistics_channels(statistics_channels) %}
+
 statistics-channels {
-{% filter indent(2, true) %}
-{% for channel in statistics_channels if statistics_channels is iterable %}
+{% filter indent(bind9_config_indent, true) %}
+{% for channel in item.statistics_channels if item.statistics_channels is iterable %}
 inet {{ channel.address | string }}
 {{- (' port ' + channel.port | string) if channel.port is defined and channel.port -}}
 {{- (' allow {\n' + functions.simple_item_list(channel.allow) + '};\n') if channel.allow is defined and channel.allow -}}
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.tls.j2

@@ -1,7 +1,7 @@
-{% macro tls(tlss) %}
-{% for tls in tlss if tlss is iterable %}
+{% for tls in item.tls if item.tls is iterable %}
+
 tls {{ tls.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('cert-file "' + tls.cert_file + '";\n') if tls.cert_file is defined and tls.cert_file -}}
 {{ ('key-file "' + tls.key_file + '";\n') if tls.key_file is defined and tls.key_file -}}
 {{ ('dhparam-file "' + tls.dhparam_file + '";\n') if tls.dhparam_file is defined and tls.dhparam_file -}}
@@ -13,4 +13,3 @@ tls {{ tls.name }} {
 {{ (functions.boolean_option('session-tickets', tls.session_tickets) + '\n') if tls.session_tickets is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.trust-anchors.j2

@@ -1,7 +1,7 @@
-{% macro trust_anchors(trust_anchors) %}
+
 trust-anchors {
-{% filter indent(2, true) %}
-{% for anchor in trust_anchors if trust_anchors is iterable %}
+{% filter indent(bind9_config_indent, true) %}
+{% for anchor in item.trust_anchors if item.trust_anchors is iterable %}
 {{ (anchor.name | string) -}}
 {{ (' ' + anchor.type) -}}
 {{ (' ' + anchor.flags | string) -}}
@@ -10,4 +10,3 @@ trust-anchors {
 {{ (' "' + anchor.key + '"') -}};
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.view.j2

@@ -1,7 +1,7 @@
-{% macro view(views) %}
-{% for view in views if views is iterable %}
+{% for view in item.view if item.view is iterable %}
+
 view {{ view.name }} {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {{ ('match-recursive-only ' + functions.named_boolean(view.match_recursive_only) + ';\n') if view.match_recursive_only is defined -}}
 {{ ('match-clients {\n' + functions.simple_item_list(view.match_clients) + '};\n') if view.match_clients is defined and view.match_clients -}}
 {{ ('match-destinations {\n' + functions.simple_item_list(view.match_destinations) + '};\n') if view.match_destinations is defined and view.match_destinations -}}
@@ -75,4 +75,4 @@ view {{ view.name }} {
 {{ trust_anchors(view.trust_anchors) -}}
 {% endif %}
 {% endfilter %}
-};{% endfor %}{% endmacro %}
+};{% endfor %}

templates/named.conf.zone.j2

@@ -1,8 +1,7 @@
-# Zones Macro
-{% macro zones(zones) -%}
-{% for zone in zones %}
+{% for zone in item.zones %}
+
 zone "{{ zone.name }}" {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 # Zone {{ zone.name }} type {{ zone.type }}
 {# Most critical/defining statements first #}
 {{ ('type ' + zone.type | string+';\n') if zone.type is defined and zone.type -}}
@@ -24,12 +23,12 @@ zone "{{ zone.name }}" {
 update-policy local;
 {% else %}
 update-policy {
-{% filter indent(2, true) %}
+{% filter indent(bind9_config_indent, true) %}
 {% for policy in zone.update_policy %}
 {{ policy.permission -}}
 {{ ' ' + policy.identity -}}
 {{ ' ' + policy.ruletype -}}
-{{ ' ' + policy.name -}}
+{{ ' ' + policy.name if policy.name is defined -}}
 {{ ' ' + policy.types -}};
 {% endfor %}
 {% endfilter %}};
@@ -48,7 +47,7 @@ server-names {
 server-addresses {
 {{ functions.simple_item_list(zone.server_addresses) }}};
 {% endif %}
-{{ functions.parent_address_port_dscp('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
 {% if zone.allow_transfer is defined and zone.allow_transfer is not string %}
 allow-transfer
 {{- (' port ' + zone.allow_transfer.port | string) if zone.allow_transfer.port is defined and zone.allow_transfer.port -}}
@@ -157,6 +156,4 @@ parental-source-v6 {{ zone.parental_source_v6.address -}}
 {{ ('in-view ' + zone.in_view | string+';\n') if zone.in_view is defined and zone.in_view -}}
 {% endfilter %}
 };
-
 {% endfor %}
-{% endmacro %}