Update forwarders for 9.20

revert feat: Add remote-servers support for BIND 9.20

handlers/main.yml

@@ -18,7 +18,7 @@
       - "{{ bind9_libdir }}"
     dest: "{{
       bind9_backup_dir + '/bind9-config-' +
-      ansible_date_time.iso8601_basic_short + '.tar.gz' }}"
+      ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
     owner: root
     group: root
     mode: 0640

molecule/default/collections.yml

@@ -0,0 +1,7 @@
+---
+collections:
+  - name: ansible.utils
+  - name: ansible.posix
+  - name: community.crypto
+  - name: community.general
+

molecule/default/converge.yml

@@ -1,5 +1,31 @@
 ---
 - name: Converge
   hosts: all
-  roles:
+  vars:
-    - keepit.bind9
+    bind9_group_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          forwarders:
+            port: 853
+            tls: common-upstream
+            addresses:
+              - address: 192.0.2.10
+                port: 5353
+                tls: leaf-a
+              - address:
+                  - 2001:db8::10
+                  - 198.51.100.10
+                tls: dual-stack
+              - 203.0.113.10
+        tls:
+          - name: common-upstream
+            remote_hostname: upstream.example
+          - name: leaf-a
+            remote_hostname: leaf-a.example
+          - name: dual-stack
+            remote_hostname: dual-stack.example
+  tasks:
+    - name: Include bind9 role
+      ansible.builtin.include_role:
+        name: ../../../ansible-bind9-role

molecule/default/molecule.yml

@@ -1,22 +1,18 @@
 ---
-dependency:
-  name: galaxy
 driver:
-  name: docker
+  name: podman
 platforms:
-  - name: ubuntu-jammy
+  - name: debian-trixie
-    image: ubuntu:jammy
+    image: docker.io/jrei/systemd-debian:13
-  - name: ubuntu-focal
+    command: /lib/systemd/systemd
-    image: ubuntu:focal
+    privileged: true
-  - name: debian-bullseye
+    volumes:
-    image: debian:bullseye
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
 provisioner:
   name: ansible
-  lint:
+  config_options:
-    name: ansible-lint
+    defaults:
+      ALLOW_BROKEN_CONDITIONALS: true
 verifier:
   name: ansible
-lint: |
-  set -e
-  ansible-lint .
-  yamllint .

molecule/default/prepare.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  tasks:
+    - name: Update apt
+      ansible.builtin.apt:
+        update_cache: true

molecule/default/verify.yml

@@ -0,0 +1,21 @@
+---
+- name: Verify forwarders configuration
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Read named.conf.options
+      ansible.builtin.slurp:
+        src: /etc/bind/named.conf.options
+      register: forwarders_file
+
+    - name: Assert forwarders render with port and tls
+      ansible.builtin.assert:
+        that:
+          - forwarders_content is search('forwarders port 853 tls common-upstream \{')
+          - forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
+          - forwarders_content is search('2001:db8::10 tls dual-stack;')
+          - forwarders_content is search('198.51.100.10 tls dual-stack;')
+          - forwarders_content is search('203.0.113.10;')
+        fail_msg: "Forwarders block missing expected port/tls entries"
+      vars:
+        forwarders_content: "{{ forwarders_file.content | b64decode }}"

templates/named.conf.acl.j2

@@ -1,5 +1,6 @@
 {# ACL Macro. Very easy statement. It's just a list of address match elements. #}
 {% for acl in item.acl %}
+
 acl {{ acl.name }} {
 {{ functions.simple_item_list(acl.addresses) -}}
 };

templates/named.conf.controls.j2

@@ -1,7 +1,7 @@
-{% macro controls(controls) %}
+
 controls {
 {% filter indent(bind9_config_indent, true) %}
-{% for control in controls %}
+{% for control in item.controls %}
 {% if control.type == "inet" %}
 {{ ('inet ' + control.address) -}}
 {{ (' port ' + control.port | string) if control.port is defined and control.port -}}
@@ -16,4 +16,3 @@ controls {
 {{ (' read-only ' + control.read_only | string) if control.read_only is defined -}};
 {% endfor %}};
 {% endfilter %}
-{% endmacro %}

templates/named.conf.dlz.j2

@@ -1,5 +1,5 @@
-{% macro dlz(dlzs) %}
+{% for dlz in item.dlz if item.dlz is iterable %}
-{% for dlz in dlzs if dlzs is iterable %}
+
 dlz "{{ dlz.name }}" {
 {% filter indent(bind9_config_indent, true) %}
 {{ ('database "' + simple_item_list(dlz.database) + '";') }}
@@ -7,4 +7,3 @@ dlz "{{ dlz.name }}" {
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dnssec-policy.j2

@@ -1,5 +1,5 @@
-{% macro dnssec_policy(policies) %}
+{% for policy in item.dnssec_policy if item.dnssec_policy is iterable %}
-{% for policy in policies if policies is iterable %}
+
 dnssec-policy "{{ policy.name }}" {
 {% filter indent(bind9_config_indent, true) %}
 {% if policy.keys is defined and policy.keys %}
@@ -36,4 +36,3 @@ nsec3param
 {% endfilter %}
 };
 {% endfor %}
-{% endmacro %}

templates/named.conf.dyndb.j2

@@ -1,8 +1,7 @@
-{% macro dyndb(dyndbs) %}
+{% for dyndb in item.dyndb if item.dyndb is iterable %}
-{% for dyndb in dyndbs if dyndbs is iterable %}
+
 dyndb {{ dyndb.name }} "{{ dyndb.driver }}" {
 {% filter indent(bind9_config_indent, true) %}
 {{ functions.simple_item_list(dyndb.parameters) -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.functions.j2

@@ -42,6 +42,46 @@
 {% endif %}
 {% endmacro %}
 
+{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
+{# This macro is for use for statements with grammar like #}
+{#  address port 00 tls string; address port 00 tls string; #}
+{# it is usually called by a parent macro #}
+{% filter indent(indent, true) %}
+{% for item in dict %}
+{% if item is not mapping %}
+{{ item }};
+{% elif item.address is string %}
+{{ item.address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfilter %}
+{% endmacro %}
+
+{% macro parent_address_port_tls(name, dict) %}
+{# This macro is for statements with grammar like #}
+{# statement port 00 tls string { address port 00 tls string; address port 00 tls string; } #}
+{# the list inside the statement is handled by list_address_port_tls #}
+{% if dict is not mapping and dict is iterable %}
+{{ name }} {
+{{ list_address_port_tls(dict) -}}
+};
+{% else %}
+{{ name }}
+{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
+{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
+{{ list_address_port_tls(dict.addresses) -}}
+};
+{% endif %}
+{% endmacro %}
+
 {% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
 {# This macro is for use for statements with grammar like #}
 {#  address port 00 dscp 00; address port 00 dscp 00; #}
@@ -65,12 +105,14 @@
 {# the list inside the statement is handled by list_address_port #}
 {% if dict is not mapping and dict is iterable %}
 {{ name }} {
-{{ list_address_port_dscp(dict) }}};
+{{ list_address_port_dscp(dict) }}
+};
 {% else %}
 {{ name }}
 {{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
 {{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
-{{ list_address_port_dscp(dict.addresses) }}};
+{{ list_address_port_dscp(dict.addresses) }}
+};
 {% endif %}
 {% endmacro %}
 

templates/named.conf.generator.j2

@@ -1,76 +1,56 @@
 {% import 'named.conf.functions.j2' as functions with context %}
 {{ ansible_managed | comment }}
 {% if item.options is defined and item.options %}
-options {
-{% filter indent(bind9_config_indent,true)%}
 {% include 'named.conf.options.j2' %}
-{% endfilter %}
-};
-
 {% endif %}
 {% if item.acl is defined and item.acl %}
 {% include 'named.conf.acl.j2' %}
 {% endif %}
 {% if item.primaries is defined and item.primaries %}
-{% include 'named.conf.primaries' %}
+{% include 'named.conf.primaries.j2' %}
 {% endif %}
 {% if item.controls is defined and item.controls %}
-{% from 'named.conf.controls.j2' import controls with context %}
+{% include 'named.conf.controls.j2' %}
-{{ controls(item.controls) }}
 {% endif %}
 {% if item.include is defined and item.include %}
-{% from 'named.conf.include.j2' import include with context %}
+{% include 'named.conf.include.j2' %}
-{{ include(item.include) }}
 {% endif %}
 {% if item.dlz is defined and item.dlz %}
-{% from 'named.conf.dlz.j2' import dlz with context %}
+{% include 'named.conf.dlz.j2' %}
-{{ dlz(item.dlz) }}
 {% endif %}
 {% if item.dnssec_policy is defined and item.dnssec_policy %}
-{% from 'named.conf.dnssec-policy.j2' import dnssec_policy with context %}
+{% include 'named.conf.dnssec-policy.j2' %}
-{{ dnssec_policy(item.dnssec_policy) }}
 {% endif %}
 {% if item.dyndb is defined and item.dyndb %}
-{% from 'named.conf.dyndb.j2' import dyndb with context %}
+{% include 'named.conf.dyndb.j2' %}
-{{ dyndb(item.dyndb) }}
 {% endif %}
 {% if item.http is defined and item.http %}
-{% from 'named.conf.http.j2' import http with context %}
+{% include 'named.conf.http.j2' %}
-{{ http(item.http) }}
 {% endif %}
 {% if item.keylist is defined and item.keylist %}
-{% from 'named.conf.key.j2' import keylist with context %}
+{% include 'named.conf.key.j2' %}
-{{ keylist(item.keylist) }}
 {% endif %}
 {% if item.logging is defined and item.logging %}
-{% from 'named.conf.logging.j2' import logging with context %}
+{% include 'named.conf.logging.j2' %}
-{{ logging(item.logging) }}
 {% endif %}
 {% if item.parental_agents is defined and item.parental_agents %}
-{% from 'named.conf.parental-agents.j2' import parental_agents with context %}
+{% include 'named.conf.parental-agents.j2' %}
-{{ parental_agents(item.parental_agents) -}}
 {% endif %}
 {% if item.server is defined and item.server %}
-{% from 'named.conf.server.j2' import server with context %}
+{% include  'named.conf.server.j2' %}
-{{ server(item.server) }}
 {% endif %}
 {% if item.statistics_channels is defined and item.statistics_channels %}
-{% from 'named.conf.statistics-channels.j2' import statistics_channels with context %}
+{% include 'named.conf.statistics-channels.j2' %}
-{{ statistics_channels(item.statistics_channels) }}
 {% endif %}
 {% if item.tls is defined and item.tls %}
-{% from 'named.conf.tls.j2' import tls with context %}
+{% include 'named.conf.tls.j2' %}
-{{ tls(item.tls) }}
 {% endif %}
 {% if item.trust_anchors is defined and item.trust_anchors %}
-{% from 'named.conf.trust-anchors.j2' import trust_anchors with context %}
+{% include 'named.conf.trust-anchors.j2' %}
-{{ trust_anchors(item.trust_anchors) }}
 {% endif %}
 {% if item.zones is defined and item.zones %}
-{% from 'named.conf.zone.j2' import zones with context %}
+{% include 'named.conf.zone.j2' %}
-{{ zones(item.zones) }}
 {% endif %}
 {% if item.view is defined and item.view %}
-{% from 'named.conf.view.j2' import view with context %}
+{% include 'named.conf.view.j2' %}
-{{ view(item.view) }}
 {% endif %}

templates/named.conf.http.j2

@@ -1,5 +1,5 @@
-{% macro http(seq) %}
+{% for http in item.http if item.http is iterable %}
-{% for http in seq if seq is iterable %}
+
 http {{ http.name }} {
 {% filter indent(bind9_config_indent, true) %}
 {% if http.endpoints is defined and http.endpoints %}
@@ -14,4 +14,3 @@ endpoints {
 {{ ('streams-per-connection ' + http.streams_per_connection | string + ';\n') if http.streams_per_connection is defined and http.streams_per_connection -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.include.j2

@@ -1,5 +1,4 @@
-{% macro include(files) %}
+
-{% for file in files %}
+{% for file in item.include %}
 include "{{ file }}";
 {% endfor %}
-{% endmacro %}

templates/named.conf.key.j2

@@ -1,9 +1,8 @@
-{% macro keylist(keylists) %}
+{% for keyname in item.keylist if item.keylist is iterable %}
-{% for keyname in keylists if keylists is iterable %}
+
 key {{ keyname.name }} {
 {% filter indent(bind9_config_indent, true) %}
 {{ ('algorithm ' + keyname.algorithm + ';\n') if keyname.algorithm is defined and keyname.algorithm -}}
 {{ ('secret "' + keyname.secret + '";\n') if keyname.secret is defined and keyname.secret -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.logging.j2

@@ -1,11 +1,11 @@
-{% macro logging(logging) %}
+
 logging {
 {% filter indent(bind9_config_indent, true) %}
-{% for category in logging.categories if logging.categories is defined and logging.categories %}
+{% for category in item.logging.categories if item.logging.categories is defined and item.logging.categories %}
 category {{ category.name }} {
 {{ functions.simple_item_list(category.channels) }}};
 {% endfor %}
-{% for channel in logging.channels if logging.channels is defined and logging.channels %}
+{% for channel in item.logging.channels if item.logging.channels is defined and item.logging.channels %}
 channel {{ channel.name }} {
 {% filter indent(bind9_config_indent, true) %}
 {% if channel.file is defined and channel.file %}
@@ -26,4 +26,3 @@ file "{{ channel.file.name }}"
 };
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.options.j2

@@ -1,3 +1,6 @@
+
+options {
+{% filter indent(bind9_config_indent,true)%}
 {# Unicorn Options#}
 {% if item.options.rrset_order is defined and item.options.rrset_order %}
 rrset-order {
@@ -98,7 +101,7 @@ listen-on
 {{ functions.simple_item_list(item.options.listen_on.addresses) }}};
 {% endfor %}
 {% endif %}
-{{ functions.parent_address_port_dscp("forwarders", item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
 {% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
 dual-stack-servers
 {{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {
@@ -460,3 +463,6 @@ tkey-dhkey "{{ item.options.tkey_dhkey.key_name }}" {{ item.options.tkey_dhkey.k
 {{ (functions.boolean_option('use-alt-transfer-source', item.options.use_alt_transfer_source) + '\n') if item.options.use_alt_transfer_source is defined -}}
 {{ (functions.boolean_option('zero-no-soa-ttl', item.options.zero_no_soa_ttl) + '\n') if item.options.zero_no_soa_ttl is defined -}}
 {{ (functions.boolean_option('zero-no-soa-ttl-cache', item.options.zero_no_soa_ttl_cache) + '\n') if item.options.zero_no_soa_ttl_cache is defined -}}
+{% endfilter %}
+};
+

templates/named.conf.parental-agents.j2

@@ -1,9 +1,8 @@
-{% macro parental_agents(parental_agents) %}
+{% for agent in item.parental_agents if item.parental_agents is iterable %}
-{% for agent in parental_agents if parental_agents is iterable %}
+
 parental-agents {{ agent.name -}}
 {{ (' port ' + agent.port | string) if agent.port is defined and agent.port -}}
 {{ (' dscp ' + agent.dscp | string) if agent.dscp is defined and agent.dscp }} {
 {{ functions.list_address_port_key_tls(agent.addresses) -}}};
 
 {% endfor %}
-{% endmacro %}

templates/named.conf.primaries.j2

@@ -1,4 +1,5 @@
-{% for primary in item.primaries if primaries is iterable %}
+{% for primary in item.primaries if item.primaries is iterable %}
+
 primaries {{ primary.name -}}
 {{ (' port ' + primary.port | string) if primary.port is defined and primary.port -}}
 {{ (' dscp ' + primary.dscp | string) if primary.dscp is defined and primary.dscp }} {

templates/named.conf.server.j2

@@ -1,5 +1,5 @@
-{% macro server(servers) %}
+{% for server in item.server if item.server is iterable %}
-{% for server in servers if servers is iterable %}
+
 server {{ server.prefix }} {
 {% filter indent(bind9_config_indent, true) %}
 {% if server.transfer_source is defined and server.transfer_source is mapping %}
@@ -54,4 +54,3 @@ query-source
 {{ (functions.boolean_option('send-cookie', server.send_cookie) + '\n') if server.send_cookie is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.statistics-channels.j2

@@ -1,10 +1,9 @@
-{% macro statistics_channels(statistics_channels) %}
+
 statistics-channels {
 {% filter indent(bind9_config_indent, true) %}
-{% for channel in statistics_channels if statistics_channels is iterable %}
+{% for channel in item.statistics_channels if item.statistics_channels is iterable %}
 inet {{ channel.address | string }}
 {{- (' port ' + channel.port | string) if channel.port is defined and channel.port -}}
 {{- (' allow {\n' + functions.simple_item_list(channel.allow) + '};\n') if channel.allow is defined and channel.allow -}}
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.tls.j2

@@ -1,5 +1,5 @@
-{% macro tls(tlss) %}
+{% for tls in item.tls if item.tls is iterable %}
-{% for tls in tlss if tlss is iterable %}
+
 tls {{ tls.name }} {
 {% filter indent(bind9_config_indent, true) %}
 {{ ('cert-file "' + tls.cert_file + '";\n') if tls.cert_file is defined and tls.cert_file -}}
@@ -13,4 +13,3 @@ tls {{ tls.name }} {
 {{ (functions.boolean_option('session-tickets', tls.session_tickets) + '\n') if tls.session_tickets is defined -}}
 {% endfilter %}};
 {% endfor %}
-{% endmacro %}

templates/named.conf.trust-anchors.j2

@@ -1,7 +1,7 @@
-{% macro trust_anchors(trust_anchors) %}
+
 trust-anchors {
 {% filter indent(bind9_config_indent, true) %}
-{% for anchor in trust_anchors if trust_anchors is iterable %}
+{% for anchor in item.trust_anchors if item.trust_anchors is iterable %}
 {{ (anchor.name | string) -}}
 {{ (' ' + anchor.type) -}}
 {{ (' ' + anchor.flags | string) -}}
@@ -10,4 +10,3 @@ trust-anchors {
 {{ (' "' + anchor.key + '"') -}};
 {% endfor %}
 {% endfilter %}};
-{% endmacro %}

templates/named.conf.view.j2

@@ -1,5 +1,5 @@
-{% macro view(views) %}
+{% for view in item.view if item.view is iterable %}
-{% for view in views if views is iterable %}
+
 view {{ view.name }} {
 {% filter indent(bind9_config_indent, true) %}
 {{ ('match-recursive-only ' + functions.named_boolean(view.match_recursive_only) + ';\n') if view.match_recursive_only is defined -}}
@@ -75,4 +75,4 @@ view {{ view.name }} {
 {{ trust_anchors(view.trust_anchors) -}}
 {% endif %}
 {% endfilter %}
-};{% endfor %}{% endmacro %}
+};{% endfor %}

templates/named.conf.zone.j2

@@ -1,6 +1,5 @@
-# Zones Macro
+{% for zone in item.zones %}
-{% macro zones(zones) -%}
+
-{% for zone in zones %}
 zone "{{ zone.name }}" {
 {% filter indent(bind9_config_indent, true) %}
 # Zone {{ zone.name }} type {{ zone.type }}
@@ -48,7 +47,7 @@ server-names {
 server-addresses {
 {{ functions.simple_item_list(zone.server_addresses) }}};
 {% endif %}
-{{ functions.parent_address_port_dscp('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
 {% if zone.allow_transfer is defined and zone.allow_transfer is not string %}
 allow-transfer
 {{- (' port ' + zone.allow_transfer.port | string) if zone.allow_transfer.port is defined and zone.allow_transfer.port -}}
@@ -157,6 +156,4 @@ parental-source-v6 {{ zone.parental_source_v6.address -}}
 {{ ('in-view ' + zone.in_view | string+';\n') if zone.in_view is defined and zone.in_view -}}
 {% endfilter %}
 };
-
 {% endfor %}
-{% endmacro %}