a298665e93
- Add dnsutils and bind9-doc installation in prepare.yml Ensures dig command and documentation are available for testing - Enhance verify.yml with improved validation: - Add named-checkconf syntax validation - Improve error detection logic in BIND logs - Add explicit error check assertions - Increase log tail output from 20 to 30 lines for better diagnostics These fixes address PR #14 review issues #3, #4, and #5: - Issue #3: Molecule converge.yml configuration (valid, no changes needed) - Issue #4: prepare.yml now installs required testing tools - Issue #5: verify.yml now includes better validation and error checking Related to: PR #14
BIND9 9.20 Molecule Scenario
This Molecule scenario validates the ansible-bind9-role with BIND9 9.20 and later feature releases.
Purpose
- Tests role compatibility with BIND9 9.20+ which includes 44 breaking changes from 9.18.x
- Validates version-specific templates and configurations
- Ensures configuration syntax is correct for newer BIND9 versions
- Documents 9.20-specific configuration patterns
Platform
- Base Image: Ubuntu 24.04 LTS (docker.io/library/ubuntu:24.04)
- BIND9 Version: 9.20.x or later (as available in Ubuntu 24.04 repositories)
Notable BIND9 9.20 Changes
Key breaking changes in this scenario:
-
Automatic Options: The following options are automatically enabled in 9.20 and should not be configured:
glue-cache- Always enabledkeep-response-order- Always enabledreuse- Always enabledrecursion-enabled- Always enabled
-
Removed Options: These options are no longer supported in 9.20:
alt-transfer-source- Use TLS insteadalt-transfer-source-v6- Use TLS insteadauto-dnssec- DNSSEC management is automaticdsc- Use TLS configuration insteadgssapi-credential- Use TSIG + TLS insteadheartbeat-interval- Zone transfer monitoring changedlock-file- OS-level locking is usedroot-delegation-only- Use zone constraints instead
-
Enhanced Features:
- Improved TLS/DoT support for zone transfers
- Native DNSSEC management
- Better resolver behavior and retry logic
- Native HTTP/HTTPS server capabilities
Configuration Features Tested
- DNS Forwarding: Forward zones with TLS-based forwarders (DoT)
- Query Logging: Detailed query and response logging
- DNSTAP: DNS packet capture for forensics
- TLS Configuration: Modern TLS configurations for zone transfers
- Recursion: Proper recursion configuration with ACLs
- DNSSEC Validation: Modern DNSSEC validation approach
Testing
To run this scenario:
# Test with this specific scenario
cd /path/to/ansible-bind9-role
molecule test -s bind9-20
# Or specific steps
molecule create -s bind9-20
molecule converge -s bind9-20
molecule verify -s bind9-20
molecule destroy -s bind9-20
Expected Results
- BIND9 service starts successfully
- Configuration files are generated without errors
- DNS forwarding works correctly
- Named-checkconf validates the configuration
- All log channels are operational
- TLS connections are established for forwarders
Troubleshooting
BIND9 Package Not Available
If BIND9 9.20 is not available in Ubuntu 24.04 repositories, you may need to:
- Build from source using the upstream ISC BIND9 repository
- Use a different base image with more recent BIND9 packages
- Add a custom APT repository with backported packages
Configuration Syntax Errors
Review /etc/bind/named.conf using:
named-checkconf /etc/bind/named.conf
Check logs at /var/log/named/default.log for specific error messages.
Future Updates
- Add support for BIND9 9.20 DNS-over-HTTPS (DoH)
- Test with BIND9 9.22+ when released
- Validate performance improvements
- Test clustering/replication features