Add zone option JSON files for BIND9 grammar

- Created primary.zoneopt.json to define grammar for primary zones with various options including allow-query, allow-transfer, and DNSSEC settings. - Added redirect.zoneopt.json for redirect zones, specifying options like allow-query and primaries. - Introduced secondary.zoneopt.json for secondary zones, detailing options such as allow-notify, forwarders, and notify configurations. - Implemented static-stub.zoneopt.json for static stub zones, including server-addresses and server-names options. - Added stub.zoneopt.json for stub zones, defining options like check-names and forwarders. - Created zoneopt.json as a general template for zone options, incorporating common fields across different zone types.
2026-01-31 22:05:58 +01:00
parent 7388e4eaaf
commit 30918dc9f7
13 changed files with 3408 additions and 0 deletions
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -2,10 +2,19 @@
 - name: Converge
  hosts: all
  tasks:
+    - name: Create log directory for BIND
+      ansible.builtin.file:
+        path: /var/log/named
+        state: directory
+        mode: '0755'
+        owner: bind
+        group: bind
+
    - name: Include bind9 role
      ansible.builtin.include_role:
        name: ../../../ansible-bind9-role  # noqa: role-name[path]
  vars:
+    bind9_backup_config: false
    bind9_host_config:
      - name: named.conf.options
        options:
@@ -26,6 +35,71 @@
              tls: censurfridns-unicast
          forward: first
          dnssec_validation: auto
+          dnstap:
+            - type: auth
+            - type: resolver
+              log: query
+            - type: client
+              log: response
+          dnstap_output:
+            output_type: file
+            output_file: /var/log/named/dnstap.log
+            size: 20m
+            versions: 3
+            suffix: increment
+          dnstap_identity: dns-server-01
+          dnstap_version: 9.18
+        logging:
+          channels:
+            - name: default_log
+              file:
+                name: /var/log/named/default.log
+              severity: info
+              print_time: true
+              print_severity: true
+              print_category: true
+            - name: security_log
+              file:
+                name: /var/log/named/security.log
+              severity: dynamic
+              print_time: true
+              print_severity: true
+              print_category: true
+            - name: query_log
+              file:
+                name: /var/log/named/queries.log
+                versions: 5
+                size: 10m
+              severity: info
+              print_time: true
+            - name: dnssec_log
+              file:
+                name: /var/log/named/dnssec.log
+              severity: debug
+              print_time: true
+              print_severity: true
+            - name: rate_limit_log
+              syslog: daemon
+              severity: warning
+          categories:
+            - name: default
+              channels:
+                - default_log
+            - name: general
+              channels:
+                - default_log
+            - name: security
+              channels:
+                - security_log
+            - name: queries
+              channels:
+                - query_log
+            - name: dnssec
+              channels:
+                - dnssec_log
+            - name: rate-limit
+              channels:
+                - rate_limit_log
      - name: named.conf.local
        tls:
          - name: censurfridns-anycast