# BIND9 9.20 Molecule Scenario

This Molecule scenario validates the ansible-bind9-role with BIND9 9.20 and later feature releases.

## Purpose

- Tests role compatibility with BIND9 9.20+ which includes 44 breaking changes from 9.18.x
- Validates version-specific templates and configurations
- Ensures configuration syntax is correct for newer BIND9 versions
- Documents 9.20-specific configuration patterns

## Platform

- **Base Image**: Ubuntu 24.04 LTS (docker.io/library/ubuntu:24.04)
- **BIND9 Version**: 9.20.x or later (as available in Ubuntu 24.04 repositories)

## Notable BIND9 9.20 Changes

Key breaking changes in this scenario:

1. **Automatic Options**: The following options are automatically enabled in 9.20 and should not be configured:
   - `glue-cache` - Always enabled
   - `keep-response-order` - Always enabled
   - `reuse` - Always enabled
   - `recursion-enabled` - Always enabled

2. **Removed Options**: These options are no longer supported in 9.20:
   - `alt-transfer-source` - Use TLS instead
   - `alt-transfer-source-v6` - Use TLS instead
   - `auto-dnssec` - DNSSEC management is automatic
   - `dsc` - Use TLS configuration instead
   - `gssapi-credential` - Use TSIG + TLS instead
   - `heartbeat-interval` - Zone transfer monitoring changed
   - `lock-file` - OS-level locking is used
   - `root-delegation-only` - Use zone constraints instead

3. **Enhanced Features**:
   - Improved TLS/DoT support for zone transfers
   - Native DNSSEC management
   - Better resolver behavior and retry logic
   - Native HTTP/HTTPS server capabilities

## Configuration Features Tested

- **DNS Forwarding**: Forward zones with TLS-based forwarders (DoT)
- **Query Logging**: Detailed query and response logging
- **DNSTAP**: DNS packet capture for forensics
- **TLS Configuration**: Modern TLS configurations for zone transfers
- **Recursion**: Proper recursion configuration with ACLs
- **DNSSEC Validation**: Modern DNSSEC validation approach

## Testing

To run this scenario:

```bash
# Test with this specific scenario
cd /path/to/ansible-bind9-role
molecule test -s bind9-20

# Or specific steps
molecule create -s bind9-20
molecule converge -s bind9-20
molecule verify -s bind9-20
molecule destroy -s bind9-20
```

## Expected Results

- BIND9 service starts successfully
- Configuration files are generated without errors
- DNS forwarding works correctly
- Named-checkconf validates the configuration
- All log channels are operational
- TLS connections are established for forwarders

## Troubleshooting

### BIND9 Package Not Available

If BIND9 9.20 is not available in Ubuntu 24.04 repositories, you may need to:

1. Build from source using the upstream ISC BIND9 repository
2. Use a different base image with more recent BIND9 packages
3. Add a custom APT repository with backported packages

### Configuration Syntax Errors

Review `/etc/bind/named.conf` using:

```bash
named-checkconf /etc/bind/named.conf
```

Check logs at `/var/log/named/default.log` for specific error messages.

## Future Updates

- [ ] Add support for BIND9 9.20 DNS-over-HTTPS (DoH)
- [ ] Test with BIND9 9.22+ when released
- [ ] Validate performance improvements
- [ ] Test clustering/replication features

## References

- [BIND9 Documentation](https://bind9.readthedocs.io/)
- [BIND9 9.20 Release Notes](https://www.isc.org/bind/)
- [DNS-over-TLS (DoT) RFC 7858](https://tools.ietf.org/html/rfc7858)