ansible-bind9-role/templates/named.conf.options.j2

{% import 'named.conf.functions.j2' as functions with context %}

options {
{% filter indent(bind9_config_indent,true)%}
{# Iterate over keys to preserve user order (Python 3.7+ / Ansible dicts are ordered) #}
{% for key, value in item.options.items() %}
{% set conf_key = key | replace('_', '-') %}

{# --- COMPLEX BLOCKS --- #}

{% if key == 'rrset_order' %}
rrset-order {
{% filter indent(bind9_config_indent, true) %}
{% for rrset in value %}
{{ ('class ' + rrset.class | string + ' ') if rrset.class is defined and rrset.class -}}
{{ ('type ' + rrset.type | string + ' ') if rrset.type is defined and rrset.type -}}
{{ ('name "' + rrset.name | string + '" ') if rrset.name is defined and rrset.name -}}
{{ ('order ' + rrset.order | string) -}};
{% endfor %}
{% endfilter %}};

{% elif key == 'response_policy' %}
response-policy {
{% filter indent(bind9_config_indent, true) %}
{% for zone in value.zones %}
{{- ('zone ' + zone.zone | string) -}}
{{- (' max-policy-ttl ' + zone.max_policy_ttl | string) if zone.max_policy_ttl is defined and zone.max_policy_ttl -}}
{{- (' min-update-interval ' + zone.min_update_interval | string) if zone.min_update_interval is defined and zone.min_update_interval -}}
{{- (' policy ' + zone.policy | string) if zone.policy is defined and zone.policy -}}
{{- (' add-soa ' + functions.named_boolean(zone.add_soa)) if zone.add_soa is defined -}}
{{- (' log ' + functions.named_boolean(zone.log)) if zone.log is defined -}}
{{- (' recursive-only ' + functions.named_boolean(zone.recursive_only)) if zone.recursive_only is defined -}}
{{- (' nsip-enable ' + functions.named_boolean(zone.nsip_enable)) if zone.nsip_enable is defined -}}
{{- (' nsdname-enable ' + functions.named_boolean(zone.nsdname_enable)) if zone.nsdname_enable is defined }};
{% endfor %}
{% endfilter %}}
{{- (' max-policy-ttl ' + value.max_policy_ttl | string) if value.max_policy_ttl is defined and value.max_policy_ttl -}}
{{- (' min-update-interval ' + value.min_update_interval | string) if value.min_update_interval is defined and value.min_update_interval -}}
{{- (' min-ns-dots ' + value.min_ns_dots | string) if value.min_ns_dots is defined and value.min_ns_dots -}}
{{- (' add-soa ' + functions.named_boolean(value.add_soa)) if value.add_soa is defined -}}
{{- (' break-dnssec ' + functions.named_boolean(value.break_dnssec)) if value.break_dnssec is defined -}}
{{- (' nsip-wait-recurse ' + functions.named_boolean(value.nsip_wait_recurse)) if value.nsip_wait_recurse is defined -}}
{{- (' nsdname-wait-recurse ' + functions.named_boolean(value.nsdname_wait_recurse)) if value.nsdname_wait_recurse is defined -}}
{{- (' qname-wait-recurse ' + functions.named_boolean(value.qname_wait_recurse)) if value.qname_wait_recurse is defined -}}
{{- (' recursive-only ' + functions.named_boolean(value.recursive_only)) if value.recursive_only is defined -}}
{{- (' nsip-enable ' + functions.named_boolean(value.nsip_enable)) if value.nsip_enable is defined -}}
{{- (' nsdname-enable ' + functions.named_boolean(value.nsdname_enable)) if value.nsdname_enable is defined -}}
{{- (' dnsrps-enable ' + functions.named_boolean(value.dnsrps_enable)) if value.dnsrps_enable is defined -}}
{{- (' dnsrps-options { ' + value.dnsrps_options | join('; ') + '; }') if value.dnsrps_options is defined and value.dnsrps_options -}};

{% elif key == 'response_padding' %}
response-padding {
{{ functions.simple_item_list(value.addresses) }}}
{{- (' block-size ' + value.block_size | string) }};

{% elif key == 'rate_limit' %}
rate-limit {
{% filter indent(bind9_config_indent, true) %}
{{ ('all-per-second ' + value.all_per_second | string + ';\n') if value.all_per_second is defined and value.all_per_second -}}
{{ ('errors-per-second ' + value.errors_per_second | string + ';\n') if value.errors_per_second is defined and value.errors_per_second -}}
{{ ('responses-per-second ' + value.responses_per_second | string + ';\n') if value.responses_per_second is defined and value.responses_per_second -}}
{{ ('referrals-per-second ' + value.referrals_per_second | string + ';\n') if value.referrals_per_second is defined and value.referrals_per_second -}}
{{ ('nodata-per-second ' + value.nodata_per_second | string + ';\n') if value.nodata_per_second is defined and value.nodata_per_second -}}
{{ ('nxdomains-per-second ' + value.nxdomains_per_second | string + ';\n') if value.nxdomains_per_second is defined and value.nxdomains_per_second -}}
{{ ('ipv4-prefix-length ' + value.ipv4_prefix_length | string + ';\n') if value.ipv4_prefix_length is defined and value.ipv4_prefix_length -}}
{{ ('ipv6-prefix-length ' + value.ipv6_prefix_length | string + ';\n') if value.ipv6_prefix_length is defined and value.ipv6_prefix_length -}}
{{ ('max-table-size ' + value.max_table_size | string + ';\n') if value.max_table_size is defined and value.max_table_size -}}
{{ ('min-table-size ' + value.min_table_size | string + ';\n') if value.min_table_size is defined and value.min_table_size -}}
{{ ('qps-scale ' + value.qps_scale | string + ';\n') if value.qps_scale is defined and value.qps_scale -}}
{{ ('window ' + value.window | string + ';\n') if value.window is defined and value.window -}}
{{ ('slip ' + value.slip | string + ';\n') if value.slip is defined and value.slip -}}
{{ ('log-only ' + functions.named_boolean(value.log_only) + ';\n') if value.log_only is defined -}}
{{ ('exempt-clients {\n' + functions.simple_item_list(value.exempt_clients) + '};\n') if value.exempt_clients is defined and value.exempt_clients -}}
{% endfilter %}};

{% elif key == 'listen_on_v6' or key == 'listen_on' %}
{% for listen in (value if value is not mapping else [value]) %}
{{ conf_key }}
{{- (' port ' + listen.port | string) if listen.port is defined and listen.port -}}
{{- (' dscp ' + listen.dscp | string) if listen.dscp is defined and listen.dscp -}}
{{- (' tls ' + listen.tls | string) if listen.tls is defined and listen.tls -}}
{{- (' http ' + listen.http | string) if listen.http is defined and listen.http }} {
{{ functions.simple_item_list(listen.addresses) }}};
{% endfor %}

{% elif key == 'forwarders' %}
{{ functions.parent_address_port_dscp("forwarders", value) -}}

{% elif key == 'dual_stack_servers' %}
dual-stack-servers
{{ (' port ' + value.port | string) if value.port is defined and value }} {
{% for host in value.addresses %}
{% filter indent(bind9_config_indent, true) %}
{{ host.address | ansible.utils.ipaddr | ternary(host.address, '"' + host.address + '"') }}
{{- (' port ' + host.port | string) if host.port is defined and host.port -}}
{{- (' dscp ' + host.dscp | string) if host.dscp is defined and host.dscp -}};
{% endfilter %}
{% endfor %}};

{% elif key == 'dnstap_output' %}
dnstap-output {{ value.output_type -}}
{{- ' "' + value.output_file + '"' -}}
{{- (' size ' + value.size | string) if value.size is defined and value.size -}}
{{- (' versions ' + value.versions | string) if value.versions is defined and value.versions -}}
{{- (' suffix ' + value.suffix | string) if value.suffix is defined and value.suffix -}};

{% elif key == 'dnstap' %}
dnstap {
{% filter indent(bind9_config_indent, true) %}
{% for dnstap in value %}
{{ dnstap.type }}{{ ' ' + dnstap.log if dnstap.log is defined and dnstap.log }};
{% endfor %}
{% endfilter %}};

{% elif key == 'dns64' %}
{% for dns64 in (value if value is sequence else [value]) %}
dns64 {{ dns64.netprefix }} {
{% filter indent(bind9_config_indent, true) %}
{{ ('break-dnssec ' + functions.named_boolean(dns64.break_dnssec) + ';\n') if dns64.break_dnssec is defined and dns64.break_dnssec is boolean -}}
{{ ('recursive-only ' + functions.named_boolean(dns64.recursive_only) + ';\n') if dns64.recursive_only is defined and dns64.recursive_only is boolean -}}
{{ ('suffix ' + dns64.suffix + ';\n') if dns64.suffix is defined and dns64.suffix -}}
{{ ("clients {\n" + functions.simple_item_list(dns64.clients) + "};\n") if dns64.clients is defined and dns64.clients -}}
{{ ("exclude {\n" + functions.simple_item_list(dns64.exclude) + "};\n") if dns64.exclude is defined and dns64.exclude -}}
{{ ("mapped {\n" + functions.simple_item_list(dns64.mapped) + "};\n") if dns64.mapped is defined and dns64.mapped -}}
{% endfilter %}};
{% endfor %}

{% elif key == 'deny_answer_aliases' %}
deny-answer-aliases {
{{ functions.simple_item_list(value.names) }}}
{%- if value.except_from is defined and value.except_from %}
 except-from {
{{ functions.simple_item_list(value.except_from, 4) }}}
{%- endif %};

{% elif key == 'deny_answer_addresses' %}
deny-answer-addresses {
{{ functions.simple_item_list(value.addresses) }}}
{%- if value.except_from is defined and value.except_from %}
 except-from {
{{ functions.simple_item_list(value.except_from, 4) }}}
{%- endif %};

{% elif key == 'check_names' %}
{% for policy in value %}
check-names {{ policy.type }} {{ policy.action }};
{% endfor %}

{% elif key == 'catalog_zones' %}
catalog-zones {
{% for catalog_zone in value %}
zone {{ catalog_zone.zone }}
{% filter indent(bind9_config_indent, true) %}
{% if catalog_zone.default_primaries is defined and catalog_zone.default_primaries %}
default-primaries
{{- (' port ' + catalog_zone.default_primaries.port | string) if catalog_zone.default_primaries.port is defined and catalog_zone.default_primaries.port -}}
{{- (' dscp ' + catalog_zone.default_primaries.dscp | string) if catalog_zone.default_primaries.dscp is defined and catalog_zone.default_primaries.dscp }} {
{{ functions.list_address_port_key_tls(catalog_zone.default_primaries.primaries) }}}
{% endif %}
{{ ('zone-directory "' + catalog_zone.zone_directory + '"') if catalog_zone.zone_directory is defined and catalog_zone.zone_directory }}
{{ ('in-memory ' + (functions.named_boolean(catalog_zone.in_memory)) | string) if catalog_zone.in_memory is defined and catalog_zone.in_memory is boolean }}
{{ ('min-update-interval ' + catalog_zone.min_update_interval | string) if catalog_zone.min_update_interval is defined and catalog_zone.min_update_interval}};
{% endfilter %}
{% endfor %}};

{% elif key in ['transfer_source', 'transfer_source_v6', 'alt_transfer_source', 'alt_transfer_source_v6', 'query_source', 'query_source_v6', 'parental_source', 'parental_source_v6', 'notify_source', 'notify_source_v6'] %}
{{ functions.single_ip_port_dscp(conf_key, value) -}}

{% elif key == 'also_notify' and value is not string %}
also-notify
{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
{{- (' dscp ' + value.dscp | string) if value.dscp is defined and value.dscp }} {
{{ functions.list_address_port_key_tls(value.addresses) }}};

{% elif key == 'allow_transfer' and value is not string %}
allow-transfer
{{- (' port ' + value.port | string) if value.port is defined and value.port -}}
{{- (' transport ' + value.transport) if value.transport is defined and value.transport }} {
{{ functions.simple_item_list(value.addresses) }}};

{% elif key == 'disable_algorithms' %}
{% for item in value %}
disable-algorithms {{ item.domain }} { "{{ item.algorithms | join('"; "') }}"; };
{% endfor %}

{% elif key == 'disable_ds_digests' %}
{% for item in value %}
disable-ds-digests {{ item.domain }} { "{{ item.digests | join('"; "') }}"; };
{% endfor %}

{% elif key == 'root_delegation_only' %}
root-delegation-only{% if value.exclude is defined and value.exclude is sequence %} exclude {
{{ functions.simple_item_list(value.exclude) }}}
{% endif %};

{% elif key == 'tkey_dhkey' %}
tkey-dhkey "{{ value.key_name }}" {{ value.key_tag }};

{# --- SPECIAL QUOTED STRINGS --- #}
{% elif key in ['dnstap_identity', 'server_id'] %}
{{ functions.reserved_or_quoted(conf_key, value, ['none', 'hostname']) -}}

{% elif key in ['dnstap_version', 'geoip_directory', 'hostname', 'lock_file', 'pid_file', 'random_device', 'session_keyfile', 'version'] %}
{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}

{# --- DEPRECATED/OBSOLETE --- #}
{% elif key == 'tkey_domain' %}
{# Obsolete in 9.20 #}
/* WARN: tkey-domain is obsolete in BIND 9.20 */
{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}

{% elif key == 'tkey_gssapi_credential' %}
{# Deprecated in 9.20 #}
/* WARN: tkey-gssapi-credential is deprecated in BIND 9.20; use tkey-gssapi-keytab */
{{ functions.reserved_or_quoted(conf_key, value, ['none']) -}}

{# --- SIMPLE LISTS --- #}
{% elif key in ['allow_notify', 'allow_query', 'allow_query_cache', 'allow_query_cache_on', 'allow_query_on', 'allow_recursion', 'allow_recursion_on', 'allow_update', 'allow_update_forwarding', 'blackhole', 'keep_response_order', 'no_case_compress', 'sortlist', 'avoid_v4_udp_ports', 'avoid_v6_udp_ports', 'use_v4_udp_ports', 'use_v6_udp_ports', 'validate_except'] %}
{{ conf_key }} {
{{ functions.simple_item_list(value) }}};

{# --- QUOTED STRINGS --- #}
{% elif key in ['bindkeys_file', 'directory', 'dump_file', 'key_directory', 'managed_keys_directory', 'memstatistics_file', 'new_zones_directory', 'recursing_file', 'secroots_file', 'statistics_file', 'tkey_gssapi_keytab'] %}
{{ conf_key }} "{{ value }}";

{# --- BOOLEANS --- #}
{% elif key in ['allow_new_zones', 'answer_cookie', 'auth_nxdomain', 'automatic_interface_scan', 'check_integrity', 'check_sibling', 'check_wildcard', 'dnsrps_enable', 'dnssec_accept_expired', 'dnssec_dnskey_kskonly', 'dnssec_secure_to_insecure', 'empty_zones_enable', 'flush_zones_on_shutdown', 'glue_cache', 'ipv4only_enable', 'match_mapped_addresses', 'memstatistics', 'message_compression', 'minimal_any', 'multi_master', 'notify_to_soa', 'provide_ixfr', 'querylog', 'recursion', 'request_expire', 'request_ixfr', 'request_nsid', 'require_server_cookie', 'reuseport', 'root_key_sentinel', 'send_cookie', 'stale_answer_enable', 'stale_cache_enable', 'synth_from_dnssec', 'trust_anchor_telemetry', 'try_tcp_refresh', 'update_check_ksk', 'use_alt_transfer_source', 'zero_no_soa_ttl', 'zero_no_soa_ttl_cache'] %}
{{ functions.boolean_option(conf_key, value) }}

{# --- BOOLEAN OR STRING --- #}
{% elif key in ['dialup', 'ixfr_from_differences', 'minimal_responses', 'notify', 'zone_statistics', 'dnssec_validation'] %}
{{ conf_key }} {{ functions.boolean_or_string(value) }};

{# --- FALLTHROUGH --- #}
{% else %}
{# Strict mode: Ignore unknown keys or warn if possible. For now, silence is safer than invalid config. #}
{% endif %}

{% endfor %}
{% endfilter %}
};