$TTL    300

@       IN      SOA     <: $title :>. soa.<: $title :>. (
                        <: $version :> ; Serial
                        10800   ; Refresh
                        3600    ; Retry
                        604800  ; Expire
                        10800 ) ; Minimum

; NS Records.
; These are actually academic, as the registrar is where any of this matters.
; You'll have to also set up A / AAAA records with the IP of these NS subdos of yours.
: for $nameservers -> $ns {
<: $title :>. IN NS <: $ns :>.
: }

; A Records
<: $title :>. IN A <: $ip :>
<: $title :>. IN AAAA <: $ip6 :>

; PTR - also academic.  Must be set not with your registrar, but your ISP/colo etc.
<: $ip_reversed :> IN PTR <: $title :>
<: $ip6_reversed :>    IN PTR <: $title :>

; Subtitles. Look ma, it's a glue record!
: for $subdomains -> $sub {
<: $sub.name :>.<: $title :>. IN A    <: $sub.ip :>
<: $sub.name :>.<: $title :>. IN AAAA <: $sub.ip6 :>
:     for $sub.nameservers -> $ns {
<: $sub.name :>.<: $title :>. IN NS   <: $ns :>
:     }
: }

; CNAME records
: for $cnames -> $cname {
<: $cname :>.<: $title :>. IN CNAME <: $title :>.
: }

; MX & SRV records
<: $title :>.    IN MX  0 mail.<: $title :>.
_smtps._tcp.mail.<: $title :>. IN SRV 10 5 587 .
_imaps._tcp.mail.<: $title :>. IN SRV 10 5 993 .
_pop3s._tcp.mail.<: $title :>. IN SRV 10 5 995 .

; SPF, DKIM, DMARC
_dmarc.<: $title :>.          IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@<: $title :>; ruf=mailto:postmaster@<: $title :>"
mail._domainkey.<: $title :>. IN TXT "v=DKIM1; h=sha256; k=rsa; t=y; p=<: $dkim_pkey :>"
<: $title :>.                 IN TXT "v=spf1 +mx +a +ip4:<: $ip :> +ip6:<: $ip6 :> ~all"

; Indexer verification
<: $title :>.                 IN TXT "google-site-verification=<: $gsv_string :>"

; LetsEncyst
_acme-challenge.<: $title :>. IN TXT  "<: $acme_challenge :>"
<: $title :>.                 IN CAA 0 issue "letsencrypt.org"