Add --bind-conf flag for BIND domains.conf generation

Generate a BIND-format domains.conf file alongside catalog zones. New input properties: file= (zone data path) and dnssec (bare flag). When --bind-conf is set, every zone must have file= or it errors. Renames ZoneEntry.File to ZonesFile (input path for error messages) and adds ZoneFile (BIND file path) and DNSSEC (bool) fields.
2026-03-28 11:15:06 -07:00
parent 44d7867a0c
commit 0eddb9fcfe
9 changed files with 451 additions and 51 deletions
--- a/README.md
+++ b/README.md
@@ -22,13 +22,14 @@ go build -o catalog-zone-gen .
 ## Usage

 ```
-catalog-zone-gen [--config path] [--output-dir path] <input-file>
+catalog-zone-gen [--config path] [--output-dir path] [--bind-conf path] <input-file>
 ```

 **Flags:**

 - `--config` — path to YAML config file (default: `catz.yaml` next to the input file)
 - `--output-dir` — directory for output zone files (default: same directory as the input file)
+- `--bind-conf` — path to write a BIND `domains.conf` file (optional; see [BIND Config Output](#bind-config-output))

 ## Configuration File

@@ -64,7 +65,7 @@ Whitespace and comma delimited. Lines starting with `#` are comments.
 Blank lines are ignored.

 ```
-<zone-name>  <catalog>[, <catalog>...]  [, group=<value>]  [, coo=<fqdn>]
+<zone-name>  <catalog>[, <catalog>...]  [, group=<value>]  [, coo=<fqdn>]  [, file=<path>]  [, dnssec]
 ```

 ### Fields
@@ -75,6 +76,8 @@ Blank lines are ignored.
 | Bare names | identifier | Catalog assignments — must match a key in the config `catalogs` map. At least one required. |
 | `group=<value>` | key=value | RFC 9432 group property. Tells consumers to apply shared configuration to grouped zones. |
 | `coo=<fqdn>` | key=value | RFC 9432 change-of-ownership property. Points to the old catalog zone during migration. |
+| `file=<path>` | key=value | Zone data file path for BIND config output. Required when `--bind-conf` is used. |
+| `dnssec` | bare flag | Adds `dnssec-policy standard; inline-signing yes;` to the BIND config for this zone. |

 A zone can appear in multiple catalogs (for distributing to different server groups).

@@ -82,10 +85,10 @@ A zone can appear in multiple catalogs (for distributing to different server gro

 ```
 # Production zones
-zone.example.org    catalog1, catalog2
-zone.example.com    catalog2, coo=old-catalog.example.com.
-test.example.net    catalog1, group=internal
-app.example.org     catalog1, group=external, coo=migrated.example.com.
+zone.example.org    catalog1, catalog2, file=data/zones/example.org
+zone.example.com    catalog2, coo=old-catalog.example.com., file=data/zones/example.com
+test.example.net    catalog1, group=internal, file=data/zones/example.net, dnssec
+app.example.org     catalog1, group=external, coo=migrated.example.com., file=data/zones/app.example.org
 ```

 Whitespace and comma placement is flexible. These are all equivalent:
@@ -163,4 +166,35 @@ error: zones.txt:5: zone example.com. already assigned to catalog "catalog1" at
 - Same zone assigned to the same catalog more than once — error
 - Hash collision (two zone names produce the same hash within a catalog) — error
 - Missing required config fields — error
- Unknown properties (anything other than `group` and `coo`) — error
+- Unknown properties (anything other than `group`, `coo`, `file`) — error
+- Empty `file=` value — error
+- `dnssec=<anything>` (dnssec is a bare flag, not a key=value) — error
+- When `--bind-conf` is used: any zone missing `file=` — error
+
+## BIND Config Output
+
+When `--bind-conf <path>` is specified, a BIND `domains.conf` file is written
+in addition to the catalog zone files. This file defines all zones as `type
+master` with their `file` paths from the `file=` input property.
+
+**Example output:**
+
+```
+# THIS FILE IS GENERATED BY catalog-zone-gen
+#=============================================
+#
+zone "askask.com" {
+        type master;
+        file  "data/ask/askask.com";
+};
+zone "bitcard.org" {
+        type master;
+        file  "data/misc/bitcard.org"; dnssec-policy standard; inline-signing yes;
+};
+```
+
+- Zones are sorted alphabetically by name
+- 8-space indentation
+- DNSSEC zones (marked with `dnssec` in the input) get `dnssec-policy standard;
+  inline-signing yes;` on the same line as `file`
+- Every zone must have a `file=` property when `--bind-conf` is used