diff --git a/manifests/zone.pp b/manifests/zone.pp
index 6522960..aa7a4d6 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -3,6 +3,7 @@
 define bind::zone (
     $zone_type,
     $domain          = '',
+    $dynamic         = true,
     $masters         = '',
     $transfer_source = '',
     $allow_updates   = '',
@@ -16,74 +17,104 @@ define bind::zone (
     $forward         = '',
     $source          = '',
 ) {
-    $cachedir = $bind::cachedir
+    # where there is a zone, there is a server
+    include bind
+    $cachedir = $::bind::cachedir
+    $_domain = pick($domain, $name)
 
-    if $domain == '' {
-        $_domain = $name
-    } else {
-        $_domain = $domain
+    # dynamic implies master zone
+    validate_bool(!($dynamic and $zone_type != 'master'))
+
+    # masters implies slave/stub zone
+    validate_bool(!($masters != '' and ! member(['slave', 'stub'], $zone_type)))
+
+    # transfer_source implies slave/stub zone
+    validate_bool(!($transfer_source != '' and ! member(['slave', 'stub'], $zone_type)))
+
+    # allow_updates implies dynamic
+    validate_bool(!($allow_update != '' and ! $dynamic))
+
+    # dnssec implies dynamic zone
+    validate_bool(!($dnssec and ! $dynamic))
+
+    # key_directory implies dnssec
+    validate_bool(!($key_directory != '' and ! $dnssec))
+
+    # allow_notify implies slave/stub zone
+    validate_bool(!($allow_notify != '' and ! member(['slave', 'stub'], $zone_type)))
+
+    # forwarders implies forward zone
+    validate_bool(!($forwarders != '' and $zone_type != 'forward'))
+
+    # forward implies forward zone
+    validate_bool(!($forward != '' and $zone_type != 'forward'))
+
+    # source implies master/hint zone
+    validate_bool(!($source != '' and ! member(['master', 'hint'], $zone_type)))
+
+    $zone_file_mode = $zone_type ? {
+        'master' => $dynamic ? {
+            true  => 'init',
+            false => 'managed',
+        },
+        'slave'  => 'allowed',
+        'hint'   => 'managed',
+        'stub'   => 'allowed',
+        default  => 'absent',
     }
 
-    $has_zone_file = $zone_type ? {
-        'master' => true,
-        'slave'  => true,
-        'hint'   => true,
-        'stub'   => true,
-        default  => false,
-    }
-
-    if $has_zone_file {
-        if $zone_type == 'master' and $source != '' {
-            $_source = $source
-        } else {
-            $_source = 'puppet:///modules/bind/db.empty'
-        }
-
+    if member(['init', 'managed', 'allowed'], $zone_file_mode) {
         file { "${cachedir}/${name}":
             ensure  => directory,
-            owner   => $bind::params::bind_user,
-            group   => $bind::params::bind_group,
+            owner   => $::bind::params::bind_user,
+            group   => $::bind::params::bind_group,
             mode    => '0755',
             require => Package['bind'],
         }
 
-        file { "${cachedir}/${name}/${_domain}":
-            ensure  => present,
-            owner   => $bind::params::bind_user,
-            group   => $bind::params::bind_group,
-            mode    => '0644',
-            replace => false,
-            source  => $_source,
-            audit   => [ content ],
+        if member(['init', 'managed'], $zone_file_mode) {
+            file { "${cachedir}/${name}/${_domain}":
+                ensure  => present,
+                owner   => $::bind::params::bind_user,
+                group   => $::bind::params::bind_group,
+                mode    => '0644',
+                replace => ($zone_file_mode == 'managed'),
+                source  => pick($source, 'puppet:///modules/bind/db.empty'),
+                audit   => [ content ],
+            }
         }
-
-        if $dnssec {
-            exec { "dnssec-keygen-${name}":
-                command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
-                    '${_domain}' '${key_directory}'",
-                cwd     => $cachedir,
-                user    => $bind::params::bind_user,
-                creates => "${cachedir}/${name}/${_domain}.signed",
-                timeout => 0, # crypto is hard
-                require => [
-                    File['/usr/local/bin/dnssec-init'],
-                    File["${cachedir}/${name}/${_domain}"]
-                ],
-            }
-
-            file { "${cachedir}/${name}/${_domain}.signed":
-                owner => $bind::params::bind_user,
-                group => $bind::params::bind_group,
-                mode  => '0644',
-                audit => [ content ],
-            }
+    } elsif $zone_file_mode == 'absent' {
+        file { "${cachedir}/${name}":
+            ensure => absent,
         }
     }
 
-    file { "${bind::confdir}/zones/${name}.conf":
+    if $dnssec {
+        exec { "dnssec-keygen-${name}":
+            command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
+                '${_domain}' '${key_directory}'",
+            cwd     => $cachedir,
+            user    => $::bind::params::bind_user,
+            creates => "${cachedir}/${name}/${_domain}.signed",
+            timeout => 0, # crypto is hard
+            require => [
+                File['/usr/local/bin/dnssec-init'],
+                File["${cachedir}/${name}/${_domain}"]
+            ],
+        }
+
+        file { "${cachedir}/${name}/${_domain}.signed":
+            owner => $::bind::params::bind_user,
+            group => $::bind::params::bind_group,
+            mode  => '0644',
+            audit => [ content ],
+        }
+    }
+
+    file { "${::bind::confdir}/zones/${name}.conf":
         ensure  => present,
         owner   => 'root',
-        group   => $bind::params::bind_group,
+        group   => $::bind::params::bind_group,
         mode    => '0644',
         content => template('bind/zone.conf.erb'),
         notify  => Service['bind'],
diff --git a/metadata.json b/metadata.json
index 8d00a00..d825440 100644
--- a/metadata.json
+++ b/metadata.json
@@ -27,6 +27,7 @@
     }
   ],
   "dependencies": [
+    { "name": "puppetlabs/stdlib" },
     { "name": "puppetlabs/concat", "version_requirement": ">=1.0.0 <2.0.0" },
     { "name": "ripienaar/module_data" }
   ]
diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb
index 98a4fcf..4be5f17 100644
--- a/templates/zone.conf.erb
+++ b/templates/zone.conf.erb
@@ -2,35 +2,33 @@
 # This file managed by puppet - changes will be lost
 zone "<%= @_domain %>" {
 	type <%= @zone_type %>;
-<%- if @has_zone_file -%>
-<%-   if @dnssec -%>
+<%- if @dnssec -%>
 	auto-dnssec maintain;
-<%-     if @key_directory and @key_directory != '' -%>
+<%-   if @key_directory and @key_directory != '' -%>
 	key-directory "<%= @key_directory %>";
-<%-     else -%>
-	key-directory "<%= @cachedir %>/<%= @name %>";
-<%-     end -%>
-	file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
 <%-   else -%>
+	key-directory "<%= @cachedir %>/<%= @name %>";
+<%-   end -%>
+	file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
+<%- elsif %w(init managed allowed).include? @zone_file_mode -%>
 	file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>";
-<%-   end -%>
-<%-   unless @zone_type == 'stub' -%>
+<%- end -%>
+<%- if %w(master slave).include? @zone_type -%>
 	notify <%= @ns_notify ? 'yes' : 'no' %>;
-<%-   end -%>
-<%-   if @also_notify and @also_notify != '' -%>
+<%- end -%>
+<%- if @also_notify and @also_notify != '' -%>
 	also-notify {
-<%-     Array(@also_notify).each do |server| -%>
+<%-   Array(@also_notify).each do |server| -%>
 		<%= server %>;
-<%-     end -%>
-	};
 <%-   end -%>
-<%-   if @allow_notify and @allow_notify != '' -%>
+	};
+<%- end -%>
+<%- if @allow_notify and @allow_notify != '' -%>
 	allow-notify {
-<%-     Array(@allow_notify).each do |server| -%>
+<%-   Array(@allow_notify).each do |server| -%>
 		<%= server %>;
-<%-     end -%>
-	};
 <%-   end -%>
+	};
 <%- end -%>
 <%- if @masters and @masters != '' -%>
 	masters {