ansible-bind9-role/molecule/bind9-20/verify.yml

---
- name: Verify
  hosts: all
  gather_facts: true
  tasks:
    - name: Check that BIND9 is installed
      ansible.builtin.package:
        name: bind9
        state: present
      check_mode: true
      register: __bind9_package_check
      failed_when: __bind9_package_check is changed

    - name: Check that BIND9 service is running
      ansible.builtin.service:
        name: named
        state: started
        enabled: true
      check_mode: true
      register: __bind9_service_check
      failed_when: __bind9_service_check is changed

    - name: Check that BIND9 version is 9.20 or later
      ansible.builtin.command:
        cmd: named -v
      register: __bind9_version_check
      changed_when: false
      failed_when: false

    - name: Display BIND9 version
      ansible.builtin.debug:
        msg: "BIND9 version: {{ __bind9_version_check.stdout }}"

    - name: Check that named.conf.options exists
      ansible.builtin.stat:
        path: /etc/bind/named.conf.options
      register: __options_file
      failed_when: not __options_file.stat.exists

    - name: Check that named.conf.local exists
      ansible.builtin.stat:
        path: /etc/bind/named.conf.local
      register: __local_file
      failed_when: not __local_file.stat.exists

    - name: Read named.conf.options content
      ansible.builtin.slurp:
        path: /etc/bind/named.conf.options
      register: __options_content

    - name: Verify forwarders are configured in options
      ansible.builtin.assert:
        that:
          - "'forwarders' in __options_decoded"
          - "'91.239.100.100' in __options_decoded"
          - "'forward first' in __options_decoded"
        fail_msg: Forwarders not properly configured in named.conf.options
      vars:
        __options_decoded: "{{ __options_content.content | b64decode }}"

    - name: Read named.conf.local content
      ansible.builtin.slurp:
        path: /etc/bind/named.conf.local
      register: __local_content

    - name: Verify forward zone is configured
      ansible.builtin.assert:
        that:
          - "'zone \"example.internal\"' in __local_decoded"
          - "'type forward' in __local_decoded"
          - "'forward only' in __local_decoded"
        fail_msg: Forward zone not properly configured in named.conf.local
      vars:
        __local_decoded: "{{ __local_content.content | b64decode }}"

    - name: Test DNS resolution using localhost
      ansible.builtin.command:
        cmd: dig @localhost google.com +short
      register: __dns_query
      changed_when: false
      failed_when: __dns_query.rc != 0

    - name: Verify DNS query returned results
      ansible.builtin.assert:
        that:
          - __dns_query.stdout_lines | length > 0
        fail_msg: DNS forwarding is not working

    - name: Validate configuration syntax with named-checkconf
      ansible.builtin.command:
        cmd: named-checkconf /etc/bind/named.conf
      register: __named_checkconf
      changed_when: false
      failed_when: __named_checkconf.rc != 0

    - name: Check BIND logs for errors
      ansible.builtin.command:
        cmd: tail -30 /var/log/named/default.log
      register: __bind_logs
      changed_when: false

    - name: Display BIND logs
      ansible.builtin.debug:
        msg: "BIND logs:\n{{ __bind_logs.stdout }}"

    - name: Verify no critical errors in logs
      ansible.builtin.shell: |
        if grep -i "error" /var/log/named/default.log | grep -v "error reporting" > /dev/null; then
          exit 1
        fi
      changed_when: false
      failed_when: false
      register: __error_check

    - name: Assert no critical errors found
      ansible.builtin.assert:
        that:
          - __error_check.rc == 0
        fail_msg: Found critical errors in BIND logs