ansible-bind9-role/molecule/bind9-20

BIND9 9.20 Molecule Scenario

This Molecule scenario validates the ansible-bind9-role with BIND9 9.20 and later feature releases.

Purpose

• Tests role compatibility with BIND9 9.20+ which includes 44 breaking changes from 9.18.x
• Validates version-specific templates and configurations
• Ensures configuration syntax is correct for newer BIND9 versions
• Documents 9.20-specific configuration patterns

Platform

• Base Image: Ubuntu 24.04 LTS (docker.io/library/ubuntu:24.04)
• BIND9 Version: 9.20.x or later (as available in Ubuntu 24.04 repositories)

Notable BIND9 9.20 Changes

Key breaking changes in this scenario:

1. Automatic Options: The following options are automatically enabled in 9.20 and should not be configured:

   • glue-cache - Always enabled
   • keep-response-order - Always enabled
   • reuse - Always enabled
   • recursion-enabled - Always enabled

2. Removed Options: These options are no longer supported in 9.20:

   • alt-transfer-source - Use TLS instead
   • alt-transfer-source-v6 - Use TLS instead
   • auto-dnssec - DNSSEC management is automatic
   • dsc - Use TLS configuration instead
   • gssapi-credential - Use TSIG + TLS instead
   • heartbeat-interval - Zone transfer monitoring changed
   • lock-file - OS-level locking is used
   • root-delegation-only - Use zone constraints instead

3. Enhanced Features:

   • Improved TLS/DoT support for zone transfers
   • Native DNSSEC management
   • Better resolver behavior and retry logic
   • Native HTTP/HTTPS server capabilities

Configuration Features Tested

• DNS Forwarding: Forward zones with TLS-based forwarders (DoT)
• Query Logging: Detailed query and response logging
• DNSTAP: DNS packet capture for forensics
• TLS Configuration: Modern TLS configurations for zone transfers
• Recursion: Proper recursion configuration with ACLs
• DNSSEC Validation: Modern DNSSEC validation approach

Testing

To run this scenario:

# Test with this specific scenario
cd /path/to/ansible-bind9-role
molecule test -s bind9-20

# Or specific steps
molecule create -s bind9-20
molecule converge -s bind9-20
molecule verify -s bind9-20
molecule destroy -s bind9-20

Expected Results

• BIND9 service starts successfully
• Configuration files are generated without errors
• DNS forwarding works correctly
• Named-checkconf validates the configuration
• All log channels are operational
• TLS connections are established for forwarders

Troubleshooting

BIND9 Package Not Available

If BIND9 9.20 is not available in Ubuntu 24.04 repositories, you may need to:

1. Build from source using the upstream ISC BIND9 repository
2. Use a different base image with more recent BIND9 packages
3. Add a custom APT repository with backported packages

Configuration Syntax Errors

Review /etc/bind/named.conf using:

named-checkconf /etc/bind/named.conf

Check logs at /var/log/named/default.log for specific error messages.

Future Updates

• Add support for BIND9 9.20 DNS-over-HTTPS (DoH)
• Test with BIND9 9.22+ when released
• Validate performance improvements
• Test clustering/replication features

References

• BIND9 Documentation
• BIND9 9.20 Release Notes
• DNS-over-TLS (DoT) RFC 7858