daniel/ansible-bind9-role
1
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Releases Wiki Activity
Files
a298665e9347d6dbb6cecfb296219eab7738732e
ansible-bind9-role/molecule/bind9-20/README.md
Daniel Akulenok 528caeddeb
Some checks failed
Test / Lint (push) Successful in 15s
Details
Test / Lint (pull_request) Successful in 15s
Details
Test / Test (push) Has been skipped
Details
Test / Test (pull_request) Failing after 34s
Details
feat: Add BIND9 9.20 molecule scenario and support documentation 
- Added molecule/bind9-20 scenario for testing BIND9 9.20+ compatibility
  - molecule.yml: Ubuntu 24.04 platform configuration
  - converge.yml: Complete 9.20 configuration with TLS, DNSTAP, and modern features
  - verify.yml: Comprehensive test cases for 9.20 features
  - collections.yml: Required Ansible collections
  - prepare.yml: Pre-test environment setup
  - README.md: Scenario documentation with breaking changes reference

- Added docs/BIND9_9.20_SUPPORT.md implementation guide
  - Architecture overview for multi-version support
  - Runtime version detection strategy
  - Configuration changes and examples
  - Migration path for upgrading users
  - Feature highlights for BIND9 9.20

- Updated meta/argument_specs.yml
  - Added multi-version support documentation
  - Documented bind9_version variable (read-only, auto-detected)
  - Clarified supported BIND9 versions (9.18.x LTS and 9.20+)

These changes establish the feature/bind9-20-support branch as the development
path for BIND9 9.20+ support, separate from the main branch's 9.18.x focus.

Closes #9: Create feature/bind9-20-support branch with 9.20 templates
2026-02-07 23:58:31 +01:00

109 lines
3.3 KiB
Markdown
Raw Blame History

# BIND9 9.20 Molecule Scenario
This Molecule scenario validates the ansible-bind9-role with BIND9 9.20 and later feature releases.
## Purpose
- Tests role compatibility with BIND9 9.20+ which includes 44 breaking changes from 9.18.x
- Validates version-specific templates and configurations
- Ensures configuration syntax is correct for newer BIND9 versions
- Documents 9.20-specific configuration patterns
## Platform
- **Base Image**: Ubuntu 24.04 LTS (docker.io/library/ubuntu:24.04)
- **BIND9 Version**: 9.20.x or later (as available in Ubuntu 24.04 repositories)
## Notable BIND9 9.20 Changes
Key breaking changes in this scenario:
1. **Automatic Options**: The following options are automatically enabled in 9.20 and should not be configured:
- `glue-cache` - Always enabled
- `keep-response-order` - Always enabled
- `reuse` - Always enabled
- `recursion-enabled` - Always enabled
2. **Removed Options**: These options are no longer supported in 9.20:
- `alt-transfer-source` - Use TLS instead
- `alt-transfer-source-v6` - Use TLS instead
- `auto-dnssec` - DNSSEC management is automatic
- `dsc` - Use TLS configuration instead
- `gssapi-credential` - Use TSIG + TLS instead
- `heartbeat-interval` - Zone transfer monitoring changed
- `lock-file` - OS-level locking is used
- `root-delegation-only` - Use zone constraints instead
3. **Enhanced Features**:
- Improved TLS/DoT support for zone transfers
- Native DNSSEC management
- Better resolver behavior and retry logic
- Native HTTP/HTTPS server capabilities
## Configuration Features Tested
- **DNS Forwarding**: Forward zones with TLS-based forwarders (DoT)
- **Query Logging**: Detailed query and response logging
- **DNSTAP**: DNS packet capture for forensics
- **TLS Configuration**: Modern TLS configurations for zone transfers
- **Recursion**: Proper recursion configuration with ACLs
- **DNSSEC Validation**: Modern DNSSEC validation approach
## Testing
To run this scenario:
```bash
# Test with this specific scenario
cd /path/to/ansible-bind9-role
molecule test -s bind9-20
# Or specific steps
molecule create -s bind9-20
molecule converge -s bind9-20
molecule verify -s bind9-20
molecule destroy -s bind9-20
```
## Expected Results
- BIND9 service starts successfully
- Configuration files are generated without errors
- DNS forwarding works correctly
- Named-checkconf validates the configuration
- All log channels are operational
- TLS connections are established for forwarders
## Troubleshooting
### BIND9 Package Not Available
If BIND9 9.20 is not available in Ubuntu 24.04 repositories, you may need to:
1. Build from source using the upstream ISC BIND9 repository
2. Use a different base image with more recent BIND9 packages
3. Add a custom APT repository with backported packages
### Configuration Syntax Errors
Review `/etc/bind/named.conf` using:
```bash
named-checkconf /etc/bind/named.conf
```
Check logs at `/var/log/named/default.log` for specific error messages.
## Future Updates
- [ ] Add support for BIND9 9.20 DNS-over-HTTPS (DoH)
- [ ] Test with BIND9 9.22+ when released
- [ ] Validate performance improvements
- [ ] Test clustering/replication features
## References
- [BIND9 Documentation](https://bind9.readthedocs.io/)
- [BIND9 9.20 Release Notes](https://www.isc.org/bind/)
- [DNS-over-TLS (DoT) RFC 7858](https://tools.ietf.org/html/rfc7858)
Reference in New Issue View Git Blame Copy Permalink