From 365e68c2dd6cecb01947ee7e140d2db309f4a467 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 13:55:13 +0200 Subject: [PATCH] Working molecule --- meta/main.yml | 61 ++--- molecule/default/converge.yml | 455 ++++++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 18 ++ molecule/default/verify.yml | 10 + tasks/main.yml | 1 + tests/test.yml | 448 +++++++++++++++++++++++++++++++++ 6 files changed, 952 insertions(+), 41 deletions(-) create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml diff --git a/meta/main.yml b/meta/main.yml index 06d87f0..b0cfb57 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,52 +1,31 @@ galaxy_info: + role_name: bind9 + namespace: keepit + author: Daniel Akulenok description: Configure Bind9 company: Keepit - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker + issue_tracker_url: https://gitlab.off.keepit.com/operations/ansible-bind9-role - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: GPL-2.0-or-later + license: GPL-3.0-or-later - min_ansible_version: 2.1 + min_ansible_version: 2.13 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: + platforms: + - name: Ubuntu + versions: + - 22.04 + - 20.04 + - name: Debian + versions: + - 11 - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - bind9 + - bind + - dns + - ubuntu + - debian dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..7cd81e8 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,455 @@ +--- +- name: Converge + hosts: all + roles: + - keepit.bind9 + vars: + bind9_group_config: + - name: named.conf.options + options: + forwarders: + - 1.1.1.1 + - 1.0.0.1 + fetches_per_server: 200 fail + prefetch: 4 10 + version: none + hostname: l33t.h4x0r + avoid_v4_udp_ports: + - "range 5132 5232" + - "range 1337 31337" + servfail_ttl: 0 + allow_notify: + - 10.0.0.0/8 + allow_query: + - "!10.0.2.1" + - 0/0 + blackhole: + - 192.168.0.0/16 + allow_recursion: [] + empty_server: "empty.server.string" + dns64_server: "server.name" + dns64_contact: "dak.keepit.com" + directory: "{{ bind9_working_directory }}" + key_directory: "{{ bind9_working_directory }}/keys" + statistics_file: "{{ bind9_working_directory }}/named.stats" + rrset_order: + - type: A + name: foo.isc.org + order: random + - type: AAAA + name: foo.isc.org + order: cyclic + - name: bar.isc.org + order: random + - name: "*.bar.isc.org" + order: random + - name: "*.baz.isc.org" + order: cyclic + response_policy: + zones: + - zone: smorg.bop + max_policy_ttl: 30S + min_update_interval: 30S + policy: disabled + add_soa: true + log: true + recursive_only: false + nsip_enable: true + nsdname_enable: true + max_policy_ttl: 30S + min_update_interval: 30S + min_ns_dots: 2 + add_soa: false + break_dnssec: false + nsip_wait_recurse: true + nsdname_wait_recurse: true + qname_wait_recurse: true + recursive_only: true + nsip_enable: true + nsdname_enable: true + dnsrps_enable: false + dnsrps_options: + - simple + - item + - list + response_padding: + block_size: 4096 + addresses: + - 0/0 + rate_limit: + all_per_second: 0 + errors_per_second: 0 + responses_per_second: 0 + referrals_per_second: 0 + nodata_per_second: 0 + nxdomains_per_second: 0 + ipv4_prefix_length: 24 + ipv6_prefix_length: 54 + max_table_size: 20000 + min_table_size: 500 + qps_scale: 250 + slip: 2 + window: 15 + log_only: true + exempt_clients: + - 192.168.0.1 + - 10.20.30.40 + query_source_v6: + address: "*" + port: "*" + dscp: 42 + parental_source_v6: + address: "*" + port: "*" + dscp: 42 + notify_source_v6: + address: "*" + notify_source: + address: "*" + listen_on: + - port: 53 + addresses: + - 0.0.0.0 + - port: 5353 + dscp: 42 + addresses: + - 0.0.0.0 + - 127.0.0.1 + listen_on_v6: + - port: 5353 + dscp: 42 + addresses: + - "::" + - "de:ad::be:ef" + dialup: false + minimal_responses: true + zone_statistics: full + ixfr_from_differences: master + dual_stack_servers: + port: 4492 + addresses: + - address: hostname.com + port: 4421 + dscp: 42 + - address: 10.128.128.182 + - address: de:ad::be:ef + dnstap: + - type: auth + - type: client + log: response + - type: resolver + log: query + dnstap_output: + output_type: file + output_file: /tmp/dnstap + size: 10M + versions: 200 + suffix: increment + - name: named.conf.local + acl: + - name: localstuff + addresses: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 + - name: external + addresses: + - 185.181.220.77 + - "!0.0.0.0/0" + controls: + - type: inet + address: 127.0.0.1 + port: 533 + allow: + - 127.0.0.0/8 + - "!127.13.37.1" + readonly: false + - type: inet + address: 10.20.30.40 + allow: + - 100.0.0.0/8 + view: + - name: recursive-view + match_clients: + - localstuff + match_destinations: + - remote + match-recursive-only: true + options: + transfer_source: + address: 0.0.0.0 + port: '*' + dscp: 42 + allow_recursion: + - localstuff + zones: + - name: google.com + type: forward + forward: only + forwarders: + - 1.1.1.1 + - 1.0.0.1 + dnssec_policy: + - name: mypolicy + keylist: + - role: ksk + key_directory: true + lifetime: unlimited + algorithm: rsasha256 + keysize: 2048 + - role: zsk + lifetime: P30D + algorithm: 8 + - role: csk + lifetime: P6MT12H3M15S + algorithm: ecdsa256 + max_zone_ttl: P4D + parent_ds_ttl: P14D + nsec3param: + iterations: '0' + optout: false + salt_length: '0' + dyndb: + - name: sample + driver: example.so + parameters: + - example.nil. arpa. + - example2.nil. arpa. + http: + - name: dohconf + endpoints: + - /dns-query + - /dns + - /query + listener_clients: 4 + streams_per_connection: 1024 + keylist: + - name: certbot. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + - name: certbot2. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + logging: + categories: + - name: default + channels: + - default_syslog + - default_debug + - tv2 + - dr1 + - name: unmatched + channels: + - tv3 + channels: + - name: tv2 + buffered: true + file: + name: /var/log/named.log + versions: 7 + size: 20m + suffix: increment + print_category: false + print_severity: false + print_time: iso8601-utc + severity: info + - name: tv3 + 'null': true + - name: dr1 + syslog: daemon + - name: kanalkobenhavn + stderr: true + severity: debug 3 + parental_agents: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + primaries: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + tls: + - name: certbot + cert_file: /etc/ssl/private/snakeoil.pem + key_file: /etc/ssl/private/snakeoil.key + dhparam_file: /etc/ssl/dhparam.pem + ca_file: /etc/ssl/certs/ca-certificates.crt + remote_hostname: yourhostname + ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 + protocols: + - TLSv1.2 + - TLSv1.3 + prefer_server_ciphers: true + session_tickets: true + trust_anchors: + - name: . + type: initial-key + flags: 257 + protocol: 3 + algorithm: 8 + key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" + - name: hugs.dk + type: static-ds + flags: 64335 + protocol: 7 + algorithm: 2 + key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" + server: + - prefix: 1.1.1.1 + bogus: false + edns: true + tcp_only: false + tcp_keepalive: false + edns_version: '0' + padding: '0' + transfers: '0' + keyname: certbot. + query_source: + address: "*" + port: "*" + statistics_channels: + - address: 0.0.0.0 + port: 8080 + allow: + - 0/0 + - name: named.conf.zones + backup: false + zones: + - name: "_acme-challenge.hugs.dk" + type: master + file: master/_acme-challenge.hugs.dk.zone + allow_query: + - any + dnssec_policy: default + inline_signing: true + serial_update_method: date + update_policy: + - permission: grant + identity: certbot. + ruletype: name + name: _acme-challenge.hugs.dk + types: txt + - name: forward.net + type: forward + forwarders: + port: 53 + addresses: + - address: 1.1.1.1 + port: 53 + dscp: 42 + - address: 4.2.2.4 + port: 53 + - name: stub.com + type: static-stub + allow_query: + - any + server_addresses: + - 1.1.1.1 + - 8.8.8.8 + zone_statistics: full + - name: example.com + type: slave + allow_query: + - 127.0.0.1 + - 10.0.0.1 + - 128.15.14.13 + allow_query_on: + - 127.0.0.1 + primaries: + port: 5522 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 55222 + - address: 10.20.30.40 + - name: smorg.bop + type: slave + primaries: + addresses: + - address: 127.0.0.1 + allow_query: + - 15.14.13.12 + - 10.20.30.40 + - 28.25.23.24 + - "!10.13.14.15" + forwarders: + port: 53 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + dscp: 42 + - address: 10.20.30.40 + port: 53 + - address: 20.30.40.50 + - address: 30.40.50.60 + port: 53 + allow_transfer: + port: 5522 + transport: tls + addresses: + - 192.168.122.1 + also_notify: + port: 5523 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 5523 + - address: 127.0.0.2 + auto-dnssec: allow + dnskey_sig_validity: 0 + dnssec-dnskey-kskonly: true + dnssec_loadkeys_interval: 0 + file: "string" + forward: first + inline_signing: true + ixfr_from_differences: true + masterfile_format: raw + masterfile_style: full + max_ixfr_ratio: unlimited + max_journal_size: default + max_records: 0 + max_transfer_idle_out: 0 + max_transfer_time_out: 0 + notify: true + notify_delay: '0' + notify_to_soa: false + parental_agents: + port: 44332 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + sig_signing_nodes: '0' + sig_signing_signatures: '0' + sig_signing_type: 65281 + zero_no_soa_ttl: true + zone_statistics: full diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..a6db466 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,18 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: ubuntu-jammy + image: ubuntu:jammy + - name: ubuntu-focal + image: ubuntu:focal + - name: debian-bullseye + image: debian:bullseye +provisioner: + name: ansible + lint: + name: ansible-lint +verifier: + name: ansible diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..e707420 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/tasks/main.yml b/tasks/main.yml index 0993827..6af2640 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,6 +4,7 @@ ansible.builtin.apt: name: "{{ bind9_packages }}" state: present + cache_valid_time: 3600 tags: - bind9 - packages diff --git a/tests/test.yml b/tests/test.yml index 5e082e0..c5a12ed 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -3,3 +3,451 @@ remote_user: root roles: - bind9 + vars: + options: + forwarders: + - 1.1.1.1 + - 1.0.0.1 + fetches_per_server: 200 fail + prefetch: 4 10 + version: none + hostname: l33t.h4x0r + avoid_v4_udp_ports: + - "range 5132 5232" + - "range 1337 31337" + servfail_ttl: 0 + allow_notify: + - 10.0.0.0/8 + allow_query: + - "!10.0.2.1" + - 0/0 + blackhole: + - 192.168.0.0/16 + allow_recursion: [] + empty_server: "empty.server.string" + dns64_server: "server.name" + dns64_contact: "dak.keepit.com" + directory: "{{ bind9_cachedir }}" + key_directory: "{{ bind9_cachedir }}/keys" + statistics_file: "{{ bind9_cachedir }}/named.stats" + rrset_order: + - type: A + name: foo.isc.org + order: random + - type: AAAA + name: foo.isc.org + order: cyclic + - name: bar.isc.org + order: random + - name: "*.bar.isc.org" + order: random + - name: "*.baz.isc.org" + order: cyclic + response_policy: + zones: + - zone: smorg.bop + max_policy_ttl: 30S + min_update_interval: 30S + policy: disabled + add_soa: true + log: true + recursive_only: false + nsip_enable: true + nsdname_enable: true + max_policy_ttl: 30S + min_update_interval: 30S + min_ns_dots: 2 + add_soa: false + break_dnssec: false + nsip_wait_recurse: true + nsdname_wait_recurse: true + qname_wait_recurse: true + recursive_only: true + nsip_enable: true + nsdname_enable: true + dnsrps_enable: false + dnsrps_options: + - simple + - item + - list + response_padding: + block_size: 4096 + addresses: + - 0/0 + rate_limit: + all_per_second: 0 + errors_per_second: 0 + responses_per_second: 0 + referrals_per_second: 0 + nodata_per_second: 0 + nxdomains_per_second: 0 + ipv4_prefix_length: 24 + ipv6_prefix_length: 54 + max_table_size: 20000 + min_table_size: 500 + qps_scale: 250 + slip: 2 + window: 15 + log_only: true + exempt_clients: + - 192.168.0.1 + - 10.20.30.40 + query_source_v6: + address: "*" + port: "*" + dscp: 42 + parental_source_v6: + address: "*" + port: "*" + dscp: 42 + notify_source_v6: + address: "*" + notify_source: + address: "*" + listen_on: + - port: 53 + addresses: + - 0.0.0.0 + - port: 5353 + dscp: 42 + addresses: + - 0.0.0.0 + - 127.0.0.1 + listen_on_v6: + - port: 5353 + dscp: 42 + addresses: + - "::" + - "de:ad::be:ef" + dialup: false + minimal_responses: true + zone_statistics: full + ixfr_from_differences: master + dual_stack_servers: + port: 4492 + addresses: + - address: hostname.com + port: 4421 + dscp: 42 + - address: 10.128.128.182 + - address: de:ad::be:ef + dnstap: + - type: auth + - type: client + log: response + - type: resolver + log: query + dnstap_output: + output_type: file + output_file: /tmp/dnstap + size: 10M + versions: 200 + suffix: increment + - name: named.conf.local + acl: + - name: localstuff + addresses: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 + - name: external + addresses: + - 185.181.220.77 + - "!0.0.0.0/0" + controls: + - type: inet + address: 127.0.0.1 + port: 533 + allow: + - 127.0.0.0/8 + - "!127.13.37.1" + readonly: false + - type: inet + address: 10.20.30.40 + allow: + - 100.0.0.0/8 + view: + - name: recursive-view + match_clients: + - localstuff + match_destinations: + - remote + match-recursive-only: true + options: + transfer_source: + address: 0.0.0.0 + port: '*' + dscp: 42 + allow_recursion: + - localstuff + zones: + - name: google.com + type: forward + forward: only + forwarders: + - 1.1.1.1 + - 1.0.0.1 + dnssec_policy: + - name: mypolicy + keylist: + - role: ksk + key_directory: true + lifetime: unlimited + algorithm: rsasha256 + keysize: 2048 + - role: zsk + lifetime: P30D + algorithm: 8 + - role: csk + lifetime: P6MT12H3M15S + algorithm: ecdsa256 + max_zone_ttl: P4D + parent_ds_ttl: P14D + nsec3param: + iterations: '0' + optout: false + salt_length: '0' + dyndb: + - name: sample + driver: example.so + parameters: + - example.nil. arpa. + - example2.nil. arpa. + http: + - name: dohconf + endpoints: + - /dns-query + - /dns + - /query + listener_clients: 4 + streams_per_connection: 1024 + keylist: + - name: certbot. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + - name: certbot2. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + logging: + categories: + - name: default + channels: + - default_syslog + - default_debug + - tv2 + - dr1 + - name: unmatched + channels: + - tv3 + channels: + - name: tv2 + buffered: true + file: + name: /var/log/named.log + versions: 7 + size: 20m + suffix: increment + print_category: false + print_severity: false + print_time: iso8601-utc + severity: info + - name: tv3 + 'null': true + - name: dr1 + syslog: daemon + - name: kanalkobenhavn + stderr: true + severity: debug 3 + parental_agents: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + primaries: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + tls: + - name: certbot + cert_file: /etc/ssl/private/snakeoil.pem + key_file: /etc/ssl/private/snakeoil.key + dhparam_file: /etc/ssl/dhparam.pem + ca_file: /etc/ssl/certs/ca-certificates.crt + remote_hostname: yourhostname + ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 + protocols: + - TLSv1.2 + - TLSv1.3 + prefer_server_ciphers: true + session_tickets: true + trust_anchors: + - name: . + type: initial-key + flags: 257 + protocol: 3 + algorithm: 8 + key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" + - name: hugs.dk + type: static-ds + flags: 64335 + protocol: 7 + algorithm: 2 + key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" + server: + - prefix: 1.1.1.1 + bogus: false + edns: true + tcp_only: false + tcp_keepalive: false + edns_version: '0' + padding: '0' + transfers: '0' + keyname: certbot. + query_source: + address: "*" + port: "*" + statistics_channels: + - address: 0.0.0.0 + port: 8080 + allow: + - 0/0 + - name: named.conf.zones + backup: false + zones: + - name: "_acme-challenge.hugs.dk" + type: master + file: master/_acme-challenge.hugs.dk.zone + allow_query: + - any + dnssec_policy: default + inline_signing: true + serial_update_method: date + update_policy: + - permission: grant + identity: certbot. + ruletype: name + name: _acme-challenge.hugs.dk + types: txt + - name: forward.net + type: forward + forwarders: + port: 53 + addresses: + - address: 1.1.1.1 + port: 53 + dscp: 42 + - address: 4.2.2.4 + port: 53 + - name: stub.com + type: static-stub + allow_query: + - any + server_addresses: + - 1.1.1.1 + - 8.8.8.8 + zone_statistics: full + - name: example.com + type: slave + allow_query: + - 127.0.0.1 + - 10.0.0.1 + - 128.15.14.13 + allow_query_on: + - 127.0.0.1 + primaries: + port: 5522 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 55222 + - address: 10.20.30.40 + - name: smorg.bop + type: slave + primaries: + addresses: + - address: 127.0.0.1 + allow_query: + - 15.14.13.12 + - 10.20.30.40 + - 28.25.23.24 + - "!10.13.14.15" + forwarders: + port: 53 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + dscp: 42 + - address: 10.20.30.40 + port: 53 + - address: 20.30.40.50 + - address: 30.40.50.60 + port: 53 + allow_transfer: + port: 5522 + transport: tls + addresses: + - 192.168.122.1 + also_notify: + port: 5523 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 5523 + - address: 127.0.0.2 + auto-dnssec: allow + dnskey_sig_validity: 0 + dnssec-dnskey-kskonly: true + dnssec_loadkeys_interval: 0 + file: "string" + forward: first + inline_signing: true + ixfr_from_differences: true + masterfile_format: raw + masterfile_style: full + max_ixfr_ratio: unlimited + max_journal_size: default + max_records: 0 + max_transfer_idle_out: 0 + max_transfer_time_out: 0 + notify: true + notify_delay: '0' + notify_to_soa: false + parental_agents: + port: 44332 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + sig_signing_nodes: '0' + sig_signing_signatures: '0' + sig_signing_type: 65281 + zero_no_soa_ttl: true + zone_statistics: full