#
# named.conf Forwarding nameserver
#

# This configuration file assumes named is running in a chrooted
# mode. Thus all directory paths are relative to the chrooted root,
# /opt/services/named

include "etc/rndc.key";

# Configure logging
logging {
    channel nrao_security_channel {
        file "var/log/security" versions 3 size 1m;
        print-time yes;
        print-severity yes;
    };
    channel nrao_default_channel {
        file "var/log/default" versions 3 size 1m;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel nrao_queries_channel {
        file "var/log/queries" versions 3 size 8m;
        print-time yes;
        print-severity yes;
    };
    channel nrao_updates_channel {
        file "var/log/updates" versions 4 size 4m;
        print-time yes;
#        severity debug 7;
        print-severity yes;
        print-category yes;
    };
    channel nrao_general_channel {
        file "var/log/general" versions 3 size 300k;
        print-time yes;
        print-severity yes;
    };
    channel nrao_updates-denied_channel {
        file "var/log/updates-denied" versions 4 size 4m;
        print-time yes;
#        severity debug 7;
        print-severity yes;
        print-category yes;
    };
    channel nrao_stat_channel {
        file "var/log/statistics" versions 3 size 300k;
        print-time yes;
        print-severity yes;
    };
    channel nrao_edns_what {
        file "var/log/edns_log" versions 4 size 1m;
        print-time yes;
        print-category yes;
        print-severity yes;
        severity debug 7;
    };
    category default { nrao_default_channel; };
    category security { nrao_security_channel; };
    category update { nrao_updates_channel; };
    category general { nrao_general_channel; default_syslog; };
    category queries { nrao_queries_channel; };
    category update-security { nrao_updates-denied_channel; };
    category edns-disabled { nrao_edns_what; };

# No logging for the categories of no interest to us. The queries
# category produces the most entries, followed by lame-servers,
# statistics, cnames and response-checks.
    #category cname { null; };
    category lame-servers { null; };
    #category maintenance { null; };
    #category response-checks { null; };
};

#       Global options which can be over written in the zone statements

options {
    pid-file "var/run/named-pid";
    dump-file "var/log/cache_dump.db";
    statistics-file "var/log/named_stats.txt";

    notify master-only;
         
    allow-query {
        10.1.34.0/24;
        146.88.0.0/16;
        127.0.0.1; 
    };

    # Restrict zone transfers (and listing of the domain)
    allow-transfer {
        none;
    };

#    auth-nxdomain yes;

    # Bit bucket for attackers
    blackhole { 194.204.49.250; 194.204.49.254; };
    max-journal-size 4m;
};

#
# This server is for resolving compute nodes but it had better know how to
# forward other requests otherwise all other requests will be delayed.
#
zone "." IN {
    type forward;
    forward only;
    forwarders { 146.88.1.14; };
};

zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "master/127.0.0";
    allow-update { none; };
};

zone "usno.nrao.edu" {
    type master;
    file "master/usno.nrao.edu";
    allow-update { 10.1.34.2; };
    allow-query { any; };
    allow-transfer { 10.1.34.2; };
};

zone "34.1.10.in-addr.arpa" {
    type master;
    file "master/10.1.34";
    allow-update { 10.1.34.2; };
    allow-query { any; };
    allow-transfer { 10.1.34.2; };
};

zone "35.1.10.in-addr.arpa" {
    type master;
    file "master/10.1.35";
    allow-update { 10.1.34.2; };
    allow-query { any; };
    allow-transfer { 10.1.34.2; };
};