Allow catalog-only zones without file= in --bind-conf mode

Zones without a file= property (e.g. ddns zones) are included in
catalog zone output for secondaries but skipped in domains.conf.
Previously --bind-conf required every zone to have file= set.

README.md

@@ -76,7 +76,7 @@ Blank lines are ignored.
 | Bare names | identifier | Catalog assignments — must match a key in the config `catalogs` map. At least one required. |
 | `group=<value>` | key=value | RFC 9432 group property. Tells consumers to apply shared configuration to grouped zones. |
 | `coo=<fqdn>` | key=value | RFC 9432 change-of-ownership property. Points to the old catalog zone during migration. |
-| `file=<path>` | key=value | Zone data file path for BIND config output. Required when `--bind-conf` is used. |
+| `file=<path>` | key=value | Zone data file path for BIND config output. Zones without `file=` are included in catalog zones but skipped in `--bind-conf` output. |
 | `dnssec` | bare flag | Adds `dnssec-policy standard; inline-signing yes;` to the BIND config for this zone. |
 
 A zone can appear in multiple catalogs (for distributing to different server groups).
@@ -169,7 +169,7 @@ error: zones.txt:5: zone example.com. already assigned to catalog "catalog1" at
 - Unknown properties (anything other than `group`, `coo`, `file`) — error
 - Empty `file=` value — error
 - `dnssec=<anything>` (dnssec is a bare flag, not a key=value) — error
-- When `--bind-conf` is used: any zone missing `file=` — error
+- When `--bind-conf` is used: zones without `file=` are silently skipped (included in catalog output only)
 
 ## BIND Config Output
 
@@ -197,4 +197,4 @@ zone "bitcard.org" {
 - 8-space indentation
 - DNSSEC zones (marked with `dnssec` in the input) get `dnssec-policy standard;
   inline-signing yes;` on the same line as `file`
-- Every zone must have a `file=` property when `--bind-conf` is used
+- Zones without a `file=` property are skipped (they appear in catalog zones only)