ansible/roles/dns/master/templates/zone.conf

dnssec-policy "{{ domain }}-policy" {
  keys {
    ksk key-directory lifetime unlimited algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
    zsk key-directory lifetime P30D algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
  };
  publish-safety P1D;
  retire-safety P1D;
  signatures-refresh P5D;
  signatures-validity P10D;
  signatures-validity-dnskey P10D;
  max-zone-ttl PT24H;
  zone-propagation-delay PT5M;
  parent-ds-ttl P1D;
  parent-propagation-delay PT1H;
  parent-registration-delay P5D;
};

zone "{{ domain }}" {
  type master;
  file "{{ database_file }}";
  key-directory "{{ keys_directory }}";
  // do not check for correct hostnames
  check-names ignore;
  // dnssec
  inline-signing yes;
  dnssec-policy "{{ domain }}-policy";
  // dynamic updates
  update-policy {
    grant local-ddns zonesub any;
    grant * selfsub .;
  };
  // notify & transfer
  notify yes;
  allow-transfer {
    {% for fqdn in slaves %}
    {{ hostvars[fqdn].ansible_default_ipv4.address }};
    {{ hostvars[fqdn].ansible_default_ipv6.address }};
    {% endfor %}
    {% for ip in slaves_ip %}
    {{ ip }};
    {% endfor %}
  };
  also-notify {
    {% for fqdn in slaves %}
    {{ hostvars[fqdn].ansible_default_ipv4.address }};
    {{ hostvars[fqdn].ansible_default_ipv6.address }};
    {% endfor %}
    {% for ip in slaves_ip %}
    {{ ip }};
    {% endfor %}
  };
};