dnssec-validation yes;
<% end -%>
-<% if %w{senfl ravel orff diamond rietz}.include?(hostname) -%>
+<% if classes.include?('named::authoritative') and not classes.include?('named::primary') -%>
rate-limit {
responses-per-second 25;
window 5;
};
+<% if classes.include?('named::authoritative') -%>
+include "/etc/bind/named.conf.puppet-shared-keys";
+<% end -%>