Simplify BIND options for Debian 12. Listen on localhost.

Punt disabling SecureDNS; run with the defaults.  One or both of the
dnssec- options is no longer supported by BIND.

diff --git a/README.org b/README.org
index 8e6f867b287d1c2c2bed420f23919d8f33350172..be228967ad05f1dc80fbbd6a8079524e671a5db4 100644 (file)
--- a/README.org
+++ b/README.org
@@ -2672,18 +2672,17 @@ The following tasks install and configure BIND9 on Core.
 Examples of the necessary zone files, for the "Install BIND9
 zonefiles." task above, are given below.  If the campus ISP provided
 one or more IP addresses for stable name servers, those should
-probably be used as forwarders rather than Google.  And SecureDNS just
-craps up =/var/log/= and the Systemd journal.
+probably be used as forwarders rather than Google.
 
 #+NAME: bind-options
 #+CAPTION: ~bind-options~
 #+BEGIN_SRC conf
 acl "trusted" {
-    {{ private_net_cidr }};
-    {{ public_vpn_net_cidr }};
-    {{ campus_vpn_net_cidr }};
-    {{ gate_wifi_net_cidr }};
-    localhost;
+       {{ private_net_cidr }};
+       {{ public_vpn_net_cidr }};
+       {{ campus_vpn_net_cidr }};
+       {{ gate_wifi_net_cidr }};
+       localhost;
 };
 
 options {
@@ -2698,19 +2697,10 @@ options {
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
 
-       //============================================================
-       // If BIND logs error messages about the root key being
-       // expired, you will need to update your keys.
-       // See https://www.isc.org/bind-keys
-       //============================================================
-       //dnssec-validation auto;
-       // If Secure DNS is too much of a headache...
-       dnssec-enable no;
-       dnssec-validation no;
-
-       auth-nxdomain no;    # conform to RFC1035
-       //listen-on-v6 { any; };
-       listen-on { {{ core_addr }}; };
+       listen-on {
+               {{ core_addr }};
+               localhost;
+       };
 };
 #+END_SRC
 

diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index a63a7f10e63973e22cad25a511d164ef483f116e..0fd0455a3796b287f99ad6c3a302dfaad406103b 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -92,11 +92,11 @@
   copy:
     content: |
       acl "trusted" {
-          {{ private_net_cidr }};
-          {{ public_vpn_net_cidr }};
-          {{ campus_vpn_net_cidr }};
-          {{ gate_wifi_net_cidr }};
-          localhost;
+       {{ private_net_cidr }};
+       {{ public_vpn_net_cidr }};
+       {{ campus_vpn_net_cidr }};
+       {{ gate_wifi_net_cidr }};
+       localhost;
       };
       
       options {
@@ -111,19 +111,10 @@
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
       
-       //============================================================
-       // If BIND logs error messages about the root key being
-       // expired, you will need to update your keys.
-       // See https://www.isc.org/bind-keys
-       //============================================================
-       //dnssec-validation auto;
-       // If Secure DNS is too much of a headache...
-       dnssec-enable no;
-       dnssec-validation no;
-      
-       auth-nxdomain no;    # conform to RFC1035
-       //listen-on-v6 { any; };
-       listen-on { {{ core_addr }}; };
+       listen-on {
+               {{ core_addr }};
+               localhost;
+       };
       };
     dest: /etc/bind/named.conf.options
   notify: Reload BIND9.