---
- name: Verify forwarders configuration
  hosts: all
  gather_facts: false
  tasks:
    - name: Read named.conf.options
      ansible.builtin.slurp:
        src: /etc/bind/named.conf.options
      register: forwarders_file

    - name: Assert forwarders render with port and tls
      ansible.builtin.assert:
        that:
          - forwarders_content is search('forwarders port 853 tls common-upstream \{')
          - forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
          - forwarders_content is search('2001:db8::10 tls dual-stack;')
          - forwarders_content is search('198.51.100.10 tls dual-stack;')
          - forwarders_content is search('203.0.113.10;')
        fail_msg: "Forwarders block missing expected port/tls entries"
      vars:
        forwarders_content: "{{ forwarders_file.content | b64decode }}"