528caeddeb
- Added molecule/bind9-20 scenario for testing BIND9 9.20+ compatibility - molecule.yml: Ubuntu 24.04 platform configuration - converge.yml: Complete 9.20 configuration with TLS, DNSTAP, and modern features - verify.yml: Comprehensive test cases for 9.20 features - collections.yml: Required Ansible collections - prepare.yml: Pre-test environment setup - README.md: Scenario documentation with breaking changes reference - Added docs/BIND9_9.20_SUPPORT.md implementation guide - Architecture overview for multi-version support - Runtime version detection strategy - Configuration changes and examples - Migration path for upgrading users - Feature highlights for BIND9 9.20 - Updated meta/argument_specs.yml - Added multi-version support documentation - Documented bind9_version variable (read-only, auto-detected) - Clarified supported BIND9 versions (9.18.x LTS and 9.20+) These changes establish the feature/bind9-20-support branch as the development path for BIND9 9.20+ support, separate from the main branch's 9.18.x focus. Closes #9: Create feature/bind9-20-support branch with 9.20 templates
3.3 KiB
3.3 KiB
BIND9 9.20 Molecule Scenario
This Molecule scenario validates the ansible-bind9-role with BIND9 9.20 and later feature releases.
Purpose
- Tests role compatibility with BIND9 9.20+ which includes 44 breaking changes from 9.18.x
- Validates version-specific templates and configurations
- Ensures configuration syntax is correct for newer BIND9 versions
- Documents 9.20-specific configuration patterns
Platform
- Base Image: Ubuntu 24.04 LTS (docker.io/library/ubuntu:24.04)
- BIND9 Version: 9.20.x or later (as available in Ubuntu 24.04 repositories)
Notable BIND9 9.20 Changes
Key breaking changes in this scenario:
-
Automatic Options: The following options are automatically enabled in 9.20 and should not be configured:
glue-cache- Always enabledkeep-response-order- Always enabledreuse- Always enabledrecursion-enabled- Always enabled
-
Removed Options: These options are no longer supported in 9.20:
alt-transfer-source- Use TLS insteadalt-transfer-source-v6- Use TLS insteadauto-dnssec- DNSSEC management is automaticdsc- Use TLS configuration insteadgssapi-credential- Use TSIG + TLS insteadheartbeat-interval- Zone transfer monitoring changedlock-file- OS-level locking is usedroot-delegation-only- Use zone constraints instead
-
Enhanced Features:
- Improved TLS/DoT support for zone transfers
- Native DNSSEC management
- Better resolver behavior and retry logic
- Native HTTP/HTTPS server capabilities
Configuration Features Tested
- DNS Forwarding: Forward zones with TLS-based forwarders (DoT)
- Query Logging: Detailed query and response logging
- DNSTAP: DNS packet capture for forensics
- TLS Configuration: Modern TLS configurations for zone transfers
- Recursion: Proper recursion configuration with ACLs
- DNSSEC Validation: Modern DNSSEC validation approach
Testing
To run this scenario:
# Test with this specific scenario
cd /path/to/ansible-bind9-role
molecule test -s bind9-20
# Or specific steps
molecule create -s bind9-20
molecule converge -s bind9-20
molecule verify -s bind9-20
molecule destroy -s bind9-20
Expected Results
- BIND9 service starts successfully
- Configuration files are generated without errors
- DNS forwarding works correctly
- Named-checkconf validates the configuration
- All log channels are operational
- TLS connections are established for forwarders
Troubleshooting
BIND9 Package Not Available
If BIND9 9.20 is not available in Ubuntu 24.04 repositories, you may need to:
- Build from source using the upstream ISC BIND9 repository
- Use a different base image with more recent BIND9 packages
- Add a custom APT repository with backported packages
Configuration Syntax Errors
Review /etc/bind/named.conf using:
named-checkconf /etc/bind/named.conf
Check logs at /var/log/named/default.log for specific error messages.
Future Updates
- Add support for BIND9 9.20 DNS-over-HTTPS (DoH)
- Test with BIND9 9.22+ when released
- Validate performance improvements
- Test clustering/replication features