From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Thu, 20 Nov 2025 23:21:55 +0000 (-0700)
Subject: Add dnssec-validation setting per new BIND9 defaults.
X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=f8f9a62ce9faf2a3685a424a1019d1cec03c1273;p=Institute.git

Add dnssec-validation setting per new BIND9 defaults.

Without this, testing failed because it could not resolve names in
secure domains.
---

diff --git a/README.org b/README.org
index cc4ce36..d053a47 100644
--- a/README.org
+++ b/README.org
@@ -2695,6 +2695,8 @@ options {
 	allow-recursion { trusted; };
 	allow-query-cache { trusted; };
 
+	dnssec-validation yes;
+
 	listen-on {
 		{{ core_addr }};
 		localhost;
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 65fb66e..93c466d 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -126,6 +126,8 @@
       	allow-recursion { trusted; };
       	allow-query-cache { trusted; };
       
+      	dnssec-validation yes;
+      
       	listen-on {
       		{{ core_addr }};
       		localhost;