options {
  directory "/var/cache/bind";

  // Running inside Docker. Bind address on Docker host is 127.0.0.1.
  listen-on { any; };
  listen-on-v6 { any; };

  // We are allowing BIND to service recursive queries, but only in an extremely limimited sense
  // where it is entirely disconnected from public DNS:
  // - Iterative queries are disabled. Only forwarding to a non-existent forwarder.
  // - The only recursive answers we can get (that will not be a SERVFAIL) will come from the
  //   RPZ "mock-recursion" zone. Effectively this means we are mocking out the entirety of
  //   public DNS.
  allow-recursion { any; };       // BIND will only answer using RPZ if recursion is enabled
  forwarders { 192.0.2.254; };    // Nobody is listening, this is TEST-NET-1
  forward only;                   // Do NOT perform iterative queries from the root zone
  dnssec-validation no;           // Do not bother fetching the root DNSKEY set (performance)
  response-policy {               // All recursive queries will be served from here.
    zone "mock-recursion"
    log yes;
  } recursive-only no             // Allow RPZs to affect authoritative zones too.
    qname-wait-recurse no         // No real recursion.
    nsip-wait-recurse no;         // No real recursion.

  allow-transfer { none; };
  allow-update { none; };
};

key "default-key." {
  algorithm hmac-sha512;
  secret "91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==";
};

zone "mock-recursion" {
  type primary;
  file "/var/lib/bind/rpz.mock-recursion";
  allow-query {
    none;
  };
};

zone "example.com." {
  type primary;
  file "/var/lib/bind/db.example.com";
  journal "/var/cache/bind/db.example.com.jnl";

  update-policy {
    grant default-key zonesub TXT;
  };
};

zone "sub.example.com." {
  type primary;
  file "/var/lib/bind/db.sub.example.com";
  journal "/var/cache/bind/db.sub.example.com.jnl";

  update-policy {
    grant default-key zonesub TXT;
  };
};