feat: Add BIND9 9.20 molecule scenario and support documentation

- Added molecule/bind9-20 scenario for testing BIND9 9.20+ compatibility - molecule.yml: Ubuntu 24.04 platform configuration - converge.yml: Complete 9.20 configuration with TLS, DNSTAP, and modern features - verify.yml: Comprehensive test cases for 9.20 features - collections.yml: Required Ansible collections - prepare.yml: Pre-test environment setup - README.md: Scenario documentation with breaking changes reference - Added docs/BIND9_9.20_SUPPORT.md implementation guide - Architecture overview for multi-version support - Runtime version detection strategy - Configuration changes and examples - Migration path for upgrading users - Feature highlights for BIND9 9.20 - Updated meta/argument_specs.yml - Added multi-version support documentation - Documented bind9_version variable (read-only, auto-detected) - Clarified supported BIND9 versions (9.18.x LTS and 9.20+) These changes establish the feature/bind9-20-support branch as the development path for BIND9 9.20+ support, separate from the main branch's 9.18.x focus. Closes #9: Create feature/bind9-20-support branch with 9.20 templates
2026-02-07 23:58:31 +01:00
parent 0eff38f202
commit 528caeddeb
8 changed files with 608 additions and 0 deletions
--- a/molecule/bind9-20/converge.yml
+++ b/molecule/bind9-20/converge.yml
@@ -0,0 +1,122 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Create log directory for BIND
+      ansible.builtin.file:
+        path: /var/log/named
+        state: directory
+        mode: '0755'
+        owner: bind
+        group: bind
+
+    - name: Include bind9 role
+      ansible.builtin.include_role:
+        name: ../../../ansible-bind9-role  # noqa: role-name[path]
+  vars:
+    bind9_backup_config: false
+    # BIND9 9.20+ configuration with version-specific options
+    bind9_host_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          recursion: true
+          allow_query:
+            - any
+          allow_recursion:
+            - 10.0.0.0/8
+            - 192.168.0.0/16
+            - 172.16.0.0/12
+            - localhost
+            - localnets
+          forwarders:
+            - address: 91.239.100.100
+              tls: censurfridns-anycast
+            - address: 89.233.43.71
+              tls: censurfridns-unicast
+          forward: first
+          dnssec_validation: auto
+          dnstap:
+            - type: auth
+            - type: resolver
+              log: query
+            - type: client
+              log: response
+          dnstap_output:
+            output_type: file
+            output_file: /var/log/named/dnstap.log
+            size: 20m
+            versions: 3
+            suffix: increment
+          dnstap_identity: dns-server-01
+          dnstap_version: 9.20
+          # Note: BIND9 9.20 automatically enables glue-cache, keep-response-order, reuse
+          # These options are removed in 9.20 and should not be configured
+          # Removed options (9.18 compatibility note):
+          # - alt_transfer_source (use TLS instead)
+          # - auto_dnssec (automatic in 9.20)
+          # - glue_cache (always enabled in 9.20)
+        logging:
+          channels:
+            - name: default_log
+              file:
+                name: /var/log/named/default.log
+              severity: info
+              print_time: true
+              print_severity: true
+              print_category: true
+            - name: security_log
+              file:
+                name: /var/log/named/security.log
+              severity: dynamic
+              print_time: true
+              print_severity: true
+              print_category: true
+            - name: query_log
+              file:
+                name: /var/log/named/queries.log
+                versions: 5
+                size: 10m
+              severity: info
+              print_time: true
+            - name: dnssec_log
+              file:
+                name: /var/log/named/dnssec.log
+              severity: debug
+              print_time: true
+              print_severity: true
+            - name: rate_limit_log
+              syslog: daemon
+              severity: warning
+          categories:
+            - name: default
+              channels:
+                - default_log
+            - name: general
+              channels:
+                - default_log
+            - name: security
+              channels:
+                - security_log
+            - name: queries
+              channels:
+                - query_log
+            - name: dnssec
+              channels:
+                - dnssec_log
+            - name: rate-limit
+              channels:
+                - rate_limit_log
+      - name: named.conf.local
+        tls:
+          - name: censurfridns-anycast
+            remote_hostname: anycast.uncensoreddns.org
+          - name: censurfridns-unicast
+            remote_hostname: unicast.uncensoreddns.org
+        zones:
+          - name: example.internal
+            type: forward
+            forward: only
+            forwarders:
+              - 10.0.0.53
+              - 10.0.0.54