diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 079c584ba..4db1d7495 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,295 +1,305 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import re
 import unittest
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
 from vyos.template import bracketize_ipv6
 from vyos.utils.file import read_file
 from vyos.utils.process import process_named_running
 
 PDNS_REC_RUN_DIR = '/run/pdns-recursor'
 CONFIG_FILE = f'{PDNS_REC_RUN_DIR}/recursor.conf'
 FORWARD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.forward-zones.conf'
 HOSTSD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.vyos-hostsd.conf.lua'
 PROCESS_NAME= 'pdns_recursor'
 
 base_path = ['service', 'dns', 'forwarding']
 
 allow_from = ['192.0.2.0/24', '2001:db8::/32']
 listen_adress = ['127.0.0.1', '::1']
 
 def get_config_value(key, file=CONFIG_FILE):
     tmp = read_file(file)
     tmp = re.findall(r'\n{}=+(.*)'.format(key), tmp)
     return tmp[0]
 
 class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestServicePowerDNS, cls).setUpClass()
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
 
     def tearDown(self):
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
         # Delete DNS forwarding configuration
         self.cli_delete(base_path)
         self.cli_commit()
 
         # Check for running process
         self.assertFalse(process_named_running(PROCESS_NAME))
 
     def setUp(self):
         # forward to base class
         super().setUp()
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
     def test_basic_forwarding(self):
         # Check basic DNS forwarding settings
         cache_size = '20'
         negative_ttl = '120'
 
         # remove code from setUp() as in this test-case we validate the proper
         # handling of assertions when specific CLI nodes are missing
         self.cli_delete(base_path)
 
         self.cli_set(base_path + ['cache-size', cache_size])
         self.cli_set(base_path + ['negative-ttl', negative_ttl])
 
         # check validate() - allow from must be defined
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
 
         # check validate() - listen-address must be defined
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         # configure DNSSEC
         self.cli_set(base_path + ['dnssec', 'validate'])
 
         # Do not use local /etc/hosts file in name resolution
         self.cli_set(base_path + ['ignore-hosts-file'])
 
         # commit changes
         self.cli_commit()
 
         # Check configured cache-size
         tmp = get_config_value('max-cache-entries')
         self.assertEqual(tmp, cache_size)
 
         # Networks allowed to query this server
         tmp = get_config_value('allow-from')
         self.assertEqual(tmp, ','.join(allow_from))
 
         # Addresses to listen for DNS queries
         tmp = get_config_value('local-address')
         self.assertEqual(tmp, ','.join(listen_adress))
 
         # Maximum amount of time negative entries are cached
         tmp = get_config_value('max-negative-ttl')
         self.assertEqual(tmp, negative_ttl)
 
         # Do not use local /etc/hosts file in name resolution
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'no')
 
         # RFC1918 addresses are looked up by default
         tmp = get_config_value('serve-rfc1918')
         self.assertEqual(tmp, 'yes')
 
         # verify default port configuration
         tmp = get_config_value('local-port')
         self.assertEqual(tmp, '53')
 
     def test_dnssec(self):
         # DNSSEC option testing
         options = ['off', 'process-no-validate', 'process', 'log-fail', 'validate']
         for option in options:
             self.cli_set(base_path + ['dnssec', option])
 
             # commit changes
             self.cli_commit()
 
             tmp = get_config_value('dnssec')
             self.assertEqual(tmp, option)
 
     def test_external_nameserver(self):
         # Externe Domain Name Servers (DNS) addresses
         nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
         for h,p in nameservers.items():
             if 'port' in p:
                 self.cli_set(base_path + ['name-server', h, 'port', p['port']])
             else:
                 self.cli_set(base_path + ['name-server', h])
 
         # commit changes
         self.cli_commit()
 
         tmp = get_config_value(r'\+.', file=FORWARD_FILE)
         canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
                              for (h, p) in nameservers.items()]
         self.assertEqual(tmp, ', '.join(canonical_entries))
 
         # Do not use local /etc/hosts file in name resolution
         # default: yes
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'yes')
 
     def test_domain_forwarding(self):
         domains = ['vyos.io', 'vyos.net', 'vyos.com']
         nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
         for domain in domains:
             for h,p in nameservers.items():
                 if 'port' in p:
                     self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']])
                 else:
                     self.cli_set(base_path + ['domain', domain, 'name-server', h])
 
             # Test 'recursion-desired' flag for only one domain
             if domain == domains[0]:
                 self.cli_set(base_path + ['domain', domain, 'recursion-desired'])
 
             # Test 'negative trust anchor' flag for the second domain only
             if domain == domains[1]:
                 self.cli_set(base_path + ['domain', domain, 'addnta'])
 
         # commit changes
         self.cli_commit()
 
         # Test configured name-servers
         hosts_conf = read_file(HOSTSD_FILE)
         for domain in domains:
             # Test 'recursion-desired' flag for the first domain only
             if domain == domains[0]: key =f'\+{domain}'
             else: key =f'{domain}'
             tmp = get_config_value(key, file=FORWARD_FILE)
             canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
                         for (h, p) in nameservers.items()]
             self.assertEqual(tmp, ', '.join(canonical_entries))
 
             # Test 'negative trust anchor' flag for the second domain only
             if domain == domains[1]:
                 self.assertIn(f'addNTA("{domain}", "static")', hosts_conf)
 
     def test_no_rfc1918_forwarding(self):
         self.cli_set(base_path + ['no-serve-rfc1918'])
 
         # commit changes
         self.cli_commit()
 
         # verify configuration
         tmp = get_config_value('serve-rfc1918')
         self.assertEqual(tmp, 'no')
 
     def test_dns64(self):
         dns_prefix = '64:ff9b::/96'
         # Check dns64-prefix - must be prefix /96
         self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_set(base_path + ['dns64-prefix', dns_prefix])
 
         # commit changes
         self.cli_commit()
 
         # verify dns64-prefix configuration
         tmp = get_config_value('dns64-prefix')
         self.assertEqual(tmp, dns_prefix)
 
     def test_exclude_throttle_adress(self):
         exclude_throttle_adress_examples = [
             '192.168.128.255',
             '10.0.0.0/25',
             '2001:db8:85a3:8d3:1319:8a2e:370:7348',
             '64:ff9b::/96'
         ]
         for exclude_throttle_adress in exclude_throttle_adress_examples:
             self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress])
 
         # commit changes
         self.cli_commit()
 
         # verify dont-throttle-netmasks configuration
         tmp = get_config_value('dont-throttle-netmasks')
         self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples))
 
     def test_serve_stale_extension(self):
         server_stale = '20'
         self.cli_set(base_path + ['serve-stale-extension', server_stale])
         # commit changes
         self.cli_commit()
         # verify configuration
         tmp = get_config_value('serve-stale-extensions')
         self.assertEqual(tmp, server_stale)
 
     def test_listening_port(self):
         # We can listen on a different port compared to '53' but only one at a time
         for port in ['10053', '10054']:
             self.cli_set(base_path + ['port', port])
             # commit changes
             self.cli_commit()
             # verify local-port configuration
             tmp = get_config_value('local-port')
             self.assertEqual(tmp, port)
 
     def test_ecs_add_for(self):
         options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10']
         for param in options:
             self.cli_set(base_path + ['options', 'ecs-add-for', param])
 
         # commit changes
         self.cli_commit()
         # verify ecs_add_for configuration
         tmp = get_config_value('ecs-add-for')
         self.assertEqual(tmp, ','.join(options))
 
     def test_ecs_ipv4_bits(self):
         option_value = '24'
         self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value])
         # commit changes
         self.cli_commit()
         # verify ecs_ipv4_bits configuration
         tmp = get_config_value('ecs-ipv4-bits')
         self.assertEqual(tmp, option_value)
 
     def test_edns_subnet_allow_list(self):
         options = ['192.0.2.1/32', 'example.com', 'fe80::/10']
         for param in options:
             self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param])
 
         # commit changes
         self.cli_commit()
 
         # verify edns_subnet_allow_list configuration
         tmp = get_config_value('edns-subnet-allow-list')
         self.assertEqual(tmp, ','.join(options))
 
+    def test_multiple_ns_records(self):
+        test_zone = 'example.com'
+        self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns1.{test_zone}'])
+        self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns2.{test_zone}'])
+        self.cli_commit()
+        zone_config = read_file(f'{PDNS_REC_RUN_DIR}/zone.{test_zone}.conf')
+        self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns1\.{test_zone}\.')
+        self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns2\.{test_zone}\.')
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py
index e8318a83e..70686534f 100755
--- a/src/conf_mode/service_dns_forwarding.py
+++ b/src/conf_mode/service_dns_forwarding.py
@@ -1,382 +1,382 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 
 from sys import exit
 from glob import glob
 
 from vyos.config import Config
 from vyos.hostsd_client import Client as hostsd_client
 from vyos.template import render
 from vyos.template import bracketize_ipv6
 from vyos.utils.network import interface_exists
 from vyos.utils.process import call
 from vyos.utils.permission import chown
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
 pdns_rec_user_group = 'pdns'
 pdns_rec_run_dir = '/run/pdns-recursor'
 pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua'
 pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua'
 pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf'
 pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf'
 pdns_rec_systemd_override = '/run/systemd/system/pdns-recursor.service.d/override.conf'
 
 hostsd_tag = 'static'
 
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
     base = ['service', 'dns', 'forwarding']
     if not conf.exists(base):
         return None
 
     dns = conf.get_config_dict(base, key_mangling=('-', '_'),
                                no_tag_node_value_mangle=True,
                                get_first_key=True,
                                with_recursive_defaults=True)
 
     dns['config_file'] = pdns_rec_config_file
     dns['config_dir'] = os.path.dirname(pdns_rec_config_file)
 
     # some additions to the default dictionary
     if 'system' in dns:
         base_nameservers = ['system', 'name-server']
         if conf.exists(base_nameservers):
             dns.update({'system_name_server': conf.return_values(base_nameservers)})
 
     if 'authoritative_domain' in dns:
         dns['authoritative_zones'] = []
         dns['authoritative_zone_errors'] = []
         for node in dns['authoritative_domain']:
             zonedata = dns['authoritative_domain'][node]
             if ('disable' in zonedata) or (not 'records' in zonedata):
                 continue
             zone = {
                 'name': node,
                 'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node),
                 'records': [],
             }
 
             recorddata = zonedata['records']
 
             for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]:
                 if rtype not in recorddata:
                     continue
                 for subnode in recorddata[rtype]:
                     if 'disable' in recorddata[rtype][subnode]:
                         continue
 
                     rdata = recorddata[rtype][subnode]
 
                     if rtype in [ 'a', 'aaaa' ]:
                         if not 'address' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required')
                             continue
 
                         if subnode == 'any':
                             subnode = '*'
 
                         for address in rdata['address']:
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
                                 'value': address
                             })
                     elif rtype in ['cname', 'ptr']:
                         if not 'target' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required')
                             continue
 
                         zone['records'].append({
                             'name': subnode,
                             'type': rtype.upper(),
                             'ttl': rdata['ttl'],
                             'value': '{}.'.format(rdata['target'])
                         })
                     elif rtype == 'ns':
                         if not 'target' in rdata:
-                            dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at leaast one target is required')
+                            dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one target is required')
                             continue
 
                         for target in rdata['target']:
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
-                                'value': '{}.'.format(target)
+                                'value': f'{target}.'
                             })
 
                     elif rtype == 'mx':
                         if not 'server' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required')
                             continue
 
                         for servername in rdata['server']:
                             serverdata = rdata['server'][servername]
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
                                 'value': '{} {}.'.format(serverdata['priority'], servername)
                             })
                     elif rtype == 'txt':
                         if not 'value' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required')
                             continue
 
                         for value in rdata['value']:
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
                                 'value': "\"{}\"".format(value.replace("\"", "\\\""))
                             })
                     elif rtype == 'spf':
                         if not 'value' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required')
                             continue
 
                         zone['records'].append({
                             'name': subnode,
                             'type': rtype.upper(),
                             'ttl': rdata['ttl'],
                             'value': '"{}"'.format(rdata['value'].replace("\"", "\\\""))
                         })
                     elif rtype == 'srv':
                         if not 'entry' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required')
                             continue
 
                         for entryno in rdata['entry']:
                             entrydata = rdata['entry'][entryno]
                             if not 'hostname' in entrydata:
                                 dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}')
                                 continue
 
                             if not 'port' in entrydata:
                                 dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}')
                                 continue
 
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
                                 'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname'])
                             })
                     elif rtype == 'naptr':
                         if not 'rule' in rdata:
                             dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required')
                             continue
 
                         for ruleno in rdata['rule']:
                             ruledata = rdata['rule'][ruleno]
                             flags = ""
                             if 'lookup-srv' in ruledata:
                                 flags += "S"
                             if 'lookup-a' in ruledata:
                                 flags += "A"
                             if 'resolve-uri' in ruledata:
                                 flags += "U"
                             if 'protocol-specific' in ruledata:
                                 flags += "P"
 
                             if 'order' in ruledata:
                                 order = ruledata['order']
                             else:
                                 order = ruleno
 
                             if 'regexp' in ruledata:
                                 regexp= ruledata['regexp'].replace("\"", "\\\"")
                             else:
                                 regexp = ''
 
                             if ruledata['replacement']:
                                 replacement = '{}.'.format(ruledata['replacement'])
                             else:
                                 replacement = ''
 
                             zone['records'].append({
                                 'name': subnode,
                                 'type': rtype.upper(),
                                 'ttl': rdata['ttl'],
                                 'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement)
                             })
 
             dns['authoritative_zones'].append(zone)
 
     return dns
 
 def verify(dns):
     # bail out early - looks like removal from running config
     if not dns:
         return None
 
     if 'listen_address' not in dns:
         raise ConfigError('DNS forwarding requires a listen-address')
 
     if 'allow_from' not in dns:
         raise ConfigError('DNS forwarding requires an allow-from network')
 
     # we can not use dict_search() when testing for domain servers
     # as a domain will contains dot's which is out dictionary delimiter.
     if 'domain' in dns:
         for domain in dns['domain']:
             if 'name_server' not in dns['domain'][domain]:
                 raise ConfigError(f'No server configured for domain {domain}!')
 
     if 'dns64_prefix' in dns:
         dns_prefix = dns['dns64_prefix'].split('/')[1]
         # RFC 6147 requires prefix /96
         if int(dns_prefix) != 96:
             raise ConfigError('DNS 6to4 prefix must be of length /96')
 
     if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']:
         for error in dns['authoritative_zone_errors']:
             print(error)
         raise ConfigError('Invalid authoritative records have been defined')
 
     if 'system' in dns:
         if not 'system_name_server' in dns:
             print('Warning: No "system name-server" configured')
 
     return None
 
 def generate(dns):
     # bail out early - looks like removal from running config
     if not dns:
         return None
 
     render(pdns_rec_systemd_override, 'dns-forwarding/override.conf.j2', dns)
 
     render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
            user=pdns_rec_user_group, group=pdns_rec_user_group)
 
     render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
            user=pdns_rec_user_group, group=pdns_rec_user_group)
 
     render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', dns,
            user=pdns_rec_user_group, group=pdns_rec_user_group)
 
     for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
         os.unlink(zone_filename)
 
     if 'authoritative_zones' in dns:
         for zone in dns['authoritative_zones']:
             render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2',
                     zone, user=pdns_rec_user_group, group=pdns_rec_user_group)
 
 
     # if vyos-hostsd didn't create its files yet, create them (empty)
     for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]:
         with open(file, 'a'):
             pass
         chown(file, user=pdns_rec_user_group, group=pdns_rec_user_group)
 
     return None
 
 def apply(dns):
     systemd_service = 'pdns-recursor.service'
     # Reload systemd manager configuration
     call('systemctl daemon-reload')
 
     if not dns:
         # DNS forwarding is removed in the commit
         call(f'systemctl stop {systemd_service}')
 
         if os.path.isfile(pdns_rec_config_file):
             os.unlink(pdns_rec_config_file)
 
         for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
             os.unlink(zone_filename)
     else:
         ### first apply vyos-hostsd config
         hc = hostsd_client()
 
         # add static nameservers to hostsd so they can be joined with other
         # sources
         hc.delete_name_servers([hostsd_tag])
         if 'name_server' in dns:
             # 'name_server' is of the form
             # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
             # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
             nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
                       for (h, p) in dns['name_server'].items()]
             hc.add_name_servers({hostsd_tag: nslist})
 
         # delete all nameserver tags
         hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor())
 
         ## add nameserver tags - the order determines the nameserver order!
         # our own tag (static)
         hc.add_name_server_tags_recursor([hostsd_tag])
 
         if 'system' in dns:
             hc.add_name_server_tags_recursor(['system'])
         else:
             hc.delete_name_server_tags_recursor(['system'])
 
         # add dhcp nameserver tags for configured interfaces
         if 'system_name_server' in dns:
             for interface in dns['system_name_server']:
                 # system_name_server key contains both IP addresses and interface
                 # names (DHCP) to use DNS servers. We need to check if the
                 # value is an interface name - only if this is the case, add the
                 # interface based DNS forwarder.
                 if interface_exists(interface):
                     hc.add_name_server_tags_recursor(['dhcp-' + interface,
                                                       'dhcpv6-' + interface ])
 
         # hostsd will generate the forward-zones file
         # the list and keys() are required as get returns a dict, not list
         hc.delete_forward_zones(list(hc.get_forward_zones().keys()))
         if 'domain' in dns:
             zones = dns['domain']
             for domain in zones.keys():
                 # 'name_server' is of the form
                 # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
                 # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
                 zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
                                                 for (h, p) in zones[domain]['name_server'].items()]
             hc.add_forward_zones(zones)
 
         # hostsd generates NTAs for the authoritative zones
         # the list and keys() are required as get returns a dict, not list
         hc.delete_authoritative_zones(list(hc.get_authoritative_zones()))
         if 'authoritative_zones' in dns:
             hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones'])))
 
         # call hostsd to generate forward-zones and its lua-config-file
         hc.apply()
 
         ### finally (re)start pdns-recursor
         call(f'systemctl reload-or-restart {systemd_service}')
 
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
     except ConfigError as e:
         print(e)
         exit(1)