diff --git a/dns/files/named.conf.local b/dns/files/named.conf.local
new file mode 100644
index 0000000..cc1b8a2
--- /dev/null
+++ b/dns/files/named.conf.local
@@ -0,0 +1,2 @@
+acl trusted { localhost; localnets; };
+acl nameservers { localhost; };
diff --git a/dns/files/named.conf.options b/dns/files/named.conf.options
new file mode 100644
index 0000000..b683553
--- /dev/null
+++ b/dns/files/named.conf.options
@@ -0,0 +1,9 @@
+
+options {
+    listen-on { any; };
+    listen-on-v6 { none; };
+
+    allow-query { any; };
+    allow-recursion { trusted; };
+    allow-transfer { nameservers; };
+};
diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp
index 9d2c853..21e3910 100644
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@@ -15,32 +15,43 @@ class dns::server {
         }
     }
 
+    # first set per os paths
     case $operatingsystem {
         "fedora": {
-            $chroot = ""
             $confdir = "/etc/named"
         }
         "centos": {
             case $operatingsystemrelease {
                 /^5\..*/: {
                     $chroot = "/var/named/chroot"
-                    $confdir = "/etc"
                 }
                 default: {
-                    $chroot = ""
                     $confdir = "/etc/named"
                 }
             }
         }
         "ubuntu": {
-            $chroot = ""
             $confdir = "/etc/bind"
+            $config = "${confdir}/named.conf"
+            $rndckey = "${confdir}/rndc.key"
         }
-        default: {
+        "openbsd": {
             $chroot = "/var/named"
-            $confdir = "/etc"
         }
     }
+    # if some var is not set use default value
+    if !$confdir {
+        $confdir = "/etc"
+    }
+    if !$config {
+        $config = "/etc/named.conf"
+    }
+    if !$rndckey {
+        $rndckey = "/etc/rndc.key"
+    }
+    if !$chroot {
+        $chroot = ""
+    }
 
     case $operatingsystem {
         "ubuntu": {
@@ -51,7 +62,7 @@ class dns::server {
         }
     }
 
-    file { "${chroot}${confdir}/rndc.key": 
+    file { "${chroot}${rndckey}": 
         ensure  => present,
         mode    => 0640,
         owner   => "root",
@@ -67,12 +78,13 @@ class dns::server {
             default => "rndc-confgen -r /dev/urandom -a -t ${chroot}",
         },
         path    => "/bin:/usr/bin:/sbin:/usr/sbin",
-        unless  => "test -s ${chroot}${confdir}/rndc.key",
-        require => File["${chroot}${confdir}/rndc.key"],
+        unless  => "test -s ${chroot}${rndckey}",
+        require => File["${chroot}${rndckey}"],
     }
     if "${chroot}" != "" {
         file { "/etc/rndc.key":
-            ensure  => "${chroot}${confdir}/rndc.key",
+            ensure  => link,
+            target  => "${chroot}${rndckey}",
             owner   => "root",
             group   => $group,
             require => Exec["rndc-confgen"],
@@ -98,51 +110,66 @@ class dns::server {
         require => Exec["rndc-confgen"],
     }
 
-    case $operatingsystem {
-        "ubuntu": {
-            $ipaddr = $dns_listener_ipaddr
-            file { "${chroot}${confdir}/named.conf.local":
-                ensure  => present,
-                content => template("dns/named.conf.local.erb"),
-                mode    => 0640,
-                owner   => "root",
-                group   => $group,
-                require => Package["bind"],
-                notify  => Service["named"],
-            }
-            file { "${chroot}${confdir}/named.conf.options":
-                ensure  => present,
-                content => template("dns/named.conf.options.erb"),
-                mode    => 0640,
-                owner   => "root",
-                group   => $group,
-                require => Package["bind"],
-                notify  => Service["named"],
-            }
-        }
-        default: {
-            file { "named.conf":
-                path    => $operatingsystem ? {
-                    "centos" => $operatingsystemrelease ? {
-                        /^5\..*/ => "${chroot}${confdir}/named.conf",
-                        default  => "/etc/named.conf",
-                    },
-                    "fedora" => "/etc/named.conf",
-                    default  => "${chroot}${confdir}/named.conf",
-                },
-                ensure  => present,
-                source  => [ "puppet:///files/dns/named.conf.${fqdn}",
-                             "puppet:///files/dns/named.conf", ],
-                mode    => 0640,
-                owner   => "root",
-                group   => $group,
-                require => $operatingsystem ? {
-                    openbsd => undef,
-                    default => Package["bind"],
-                },
-                notify  => Service["named"],
-            }
-        }
+    file { "named.conf":
+        path    => "${chroot}${config}",
+        ensure  => present,
+        mode    => 0640,
+        owner   => "root",
+        group   => $group,
+        require => $operatingsystem ? {
+            "openbsd" => undef,
+            default   => Package["bind"],
+        },
+        notify  => Exec["generate-named-conf"],
+    }
+    file { "/usr/local/sbin/generate-named-conf.sh":
+        ensure => present,
+        content => template("dns/generate-named-conf.sh.erb"),
+        mode    => 0755,
+        owner   => "root",
+        group   => $operatingsystem ? {
+            "openbsd" => "wheel",
+            default   => "root",
+        },
+        notify  => Exec["generate-named-conf"],
+    }
+    exec { "generate-named-conf":
+        command     => "/usr/local/sbin/generate-named-conf.sh > ${chroot}${config}",
+        path        => "/bin:/usr/bin:/sbin:/usr/sbin",
+        user        => "root",
+        refreshonly => true,
+        require     => File["/usr/local/sbin/generate-named-conf.sh"],
+        notify      => Service["named"],
+    }
+
+    file { "${chroot}${confdir}/named.conf.options":
+        ensure  => present,
+        source  => [ "puppet:///files/dns/named.conf.options.${fqdn}",
+                     "puppet:///files/dns/named.conf.options",
+                     "puppet:///modules/dns/named.conf.options", ],
+        mode    => 0640,
+        owner   => "root",
+        group   => $group,
+        require => $operatingsystem ? {
+            "openbsd" => undef,
+            default   => Package["bind"],
+        },
+        notify  => Service["named"],
+    }
+
+    file { "${chroot}${confdir}/named.conf.local":
+        ensure  => present,
+        source  => [ "puppet:///files/dns/named.conf.local.${fqdn}",
+                     "puppet:///files/dns/named.conf.local",
+                     "puppet:///modules/dns/named.conf.local", ],
+        mode    => 0640,
+        owner   => "root",
+        group   => $group,
+        require => $operatingsystem ? {
+            "openbsd" => undef,
+            default   => Package["bind"],
+        },
+        notify  => Service["named"],
     }
 }
 
@@ -208,10 +235,10 @@ define dns::zone($role = "master", $master = [], $slaves = [], $source = "AUTO")
             "openbsd" => undef,
             default   => Package["bind"],
         },
-        notify  => Service["named"],
+        notify  => Exec["generate-named-conf"],
     }
 
-    if $role == "master" {
+    if $role == "master" and $zone != "." {
         if $source != "AUTO" {
              file { "${dns::server::chroot}${zonedir}/db.${zonefile}":
                  ensure  => present,
@@ -223,7 +250,7 @@ define dns::zone($role = "master", $master = [], $slaves = [], $source = "AUTO")
                      "openbsd" => undef,
                      default   => Package["bind"],
                  },
-                 notify  => Service["named"],
+                 notify  => Exec["generate-named-conf"],
             }
         } else {
             file { "${dns::server::chroot}${zonedir}/db.${zonefile}":
diff --git a/dns/templates/generate-named-conf.sh.erb b/dns/templates/generate-named-conf.sh.erb
new file mode 100644
index 0000000..53daf33
--- /dev/null
+++ b/dns/templates/generate-named-conf.sh.erb
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+chroot="<%= chroot %>"
+confdir="<%= confdir %>"
+operatingsystem="<%= operatingsystem %>"
+
+cat <<EOF
+include "${confdir}/named.conf.local";
+include "${confdir}/named.conf.options";
+
+view default {
+    match-clients { any; };
+EOF
+
+for name in ${chroot}${confdir}/zone.* ; do
+    echo "    include \"${confdir}/`basename ${name}`\";"
+done
+
+case $operatingsystem in
+    OpenBSD)
+        cat <<EOF
+    zone "." {
+        type hint;
+        file "/etc/root.hint";
+    };
+    zone "localhost" {
+        type master;
+        file "/standard/localhost";
+    };
+    zone "127.in-addr.arpa" {
+        type master;
+        file "/standard/loopback";
+    };
+    zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+        type master;
+        file "/standard/loopback6.arpa";
+    };
+EOF
+        ;;
+    Ubuntu)
+        echo "    include \"${confdir}/named.conf.default-zones\";"
+        ;;
+    *)
+        cat <<EOF
+
+    zone "." {
+        type hint;
+        file "/var/named/named.ca";
+    };
+
+EOF
+        cat ${chroot}/etc/named.rfc1912.zones | \
+             sed -e 's%file "%file "/var/named/%' -e 's/^/    /'
+        ;;
+esac
+
+echo "};"
+echo ""
diff --git a/dns/templates/named.conf.local.erb b/dns/templates/named.conf.local.erb
deleted file mode 100644
index 2b4a0a1..0000000
--- a/dns/templates/named.conf.local.erb
+++ /dev/null
@@ -1,32 +0,0 @@
-//
-// Do any local configuration here
-//
-
-acl "xfer" {
-    none;   // Allow no transfers.  If we have other
-            // name servers, place them here.
-};
-
-acl "trusted" {
-    // Place our internal and DMZ subnets in here so that
-    // intranet and DMZ clients may send DNS queries.  This
-    // also prevents outside hosts from using our name server
-    // as a resolver for other domains.
-<% dns_client_networks.each do |network| -%>
-    <%= network %>;
-<% end -%>
-    localhost;
-};
-
-<% dns_zones.each do |zone| -%>
-    <% if zone.match(/\//) %>
-        include "/etc/bind/zone.<%= zone.sub(/\//, '-') %>";
-    <% else %>
-        include "/etc/bind/zone.<%= zone %>";
-    <% end -%>
-<% end -%>
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-
diff --git a/dns/templates/named.conf.options.erb b/dns/templates/named.conf.options.erb
deleted file mode 100644
index adbc1ba..0000000
--- a/dns/templates/named.conf.options.erb
+++ /dev/null
@@ -1,30 +0,0 @@
-options {
-        listen-on { any; };
-        listen-on-v6 { none; };
-        allow-transfer { xfer; };
-        allow-recursion {
-               trusted;
-       };
-        # recursion yes;
-        directory "/var/cache/bind";
-        // If there is a firewall between you and nameservers you want
-        // to talk to, you might need to uncomment the query-source
-        // directive below.  Previous versions of BIND always asked
-        // questions using port 53, but BIND 8.1 and later use an unprivileged
-        // port by default.
-
-        // query-source address * port 53;
-
-        // If your ISP provided one or more IP addresses for stable
-        // nameservers, you probably want to use them as forwarders.
-        // Uncomment the following block, and insert the addresses replacing
-        // the all-0's placeholder.
-
-        // forwarders {
-        //      0.0.0.0;
-        // };
-
-        auth-nxdomain no;    # conform to RFC1035
-        version "";     // remove this to allow version queries
-};
-
diff --git a/dns/templates/zone.master.erb b/dns/templates/zone.master.erb
index c3a1a06..a85ded6 100644
--- a/dns/templates/zone.master.erb
+++ b/dns/templates/zone.master.erb
@@ -11,7 +11,7 @@ zone "<%= zone %>" {
         <%= v['ip'] %>;
 <%     end -%>
 <% else -%>
-        none;
+        nameservers;
 <% end -%>
     };
     allow-update {