From 644abbcbf0d8160770fc0d4304fa23c4cd832e20 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Sun, 21 Apr 2024 14:28:04 -0600
Subject: [PATCH] Simplify BIND options for Debian 12.  Listen on localhost.

Punt disabling SecureDNS; run with the defaults.  One or both of the
dnssec- options is no longer supported by BIND.
---
 README.org                  | 30 ++++++++++--------------------
 roles_t/core/tasks/main.yml | 27 +++++++++------------------
 2 files changed, 19 insertions(+), 38 deletions(-)

diff --git a/README.org b/README.org
index 8e6f867..be22896 100644
--- a/README.org
+++ b/README.org
@@ -2672,18 +2672,17 @@ The following tasks install and configure BIND9 on Core.
 Examples of the necessary zone files, for the "Install BIND9
 zonefiles." task above, are given below.  If the campus ISP provided
 one or more IP addresses for stable name servers, those should
-probably be used as forwarders rather than Google.  And SecureDNS just
-craps up =/var/log/= and the Systemd journal.
+probably be used as forwarders rather than Google.
 
 #+NAME: bind-options
 #+CAPTION: ~bind-options~
 #+BEGIN_SRC conf
 acl "trusted" {
-    {{ private_net_cidr }};
-    {{ public_vpn_net_cidr }};
-    {{ campus_vpn_net_cidr }};
-    {{ gate_wifi_net_cidr }};
-    localhost;
+	{{ private_net_cidr }};
+	{{ public_vpn_net_cidr }};
+	{{ campus_vpn_net_cidr }};
+	{{ gate_wifi_net_cidr }};
+	localhost;
 };
 
 options {
@@ -2698,19 +2697,10 @@ options {
 	allow-recursion { trusted; };
 	allow-query-cache { trusted; };
 
-	//============================================================
-	// If BIND logs error messages about the root key being
-	// expired, you will need to update your keys.
-	// See https://www.isc.org/bind-keys
-	//============================================================
-	//dnssec-validation auto;
-	// If Secure DNS is too much of a headache...
-	dnssec-enable no;
-	dnssec-validation no;
-
-	auth-nxdomain no;    # conform to RFC1035
-	//listen-on-v6 { any; };
-	listen-on { {{ core_addr }}; };
+	listen-on {
+		{{ core_addr }};
+		localhost;
+	};
 };
 #+END_SRC
 
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index a63a7f1..0fd0455 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -92,11 +92,11 @@
   copy:
     content: |
       acl "trusted" {
-          {{ private_net_cidr }};
-          {{ public_vpn_net_cidr }};
-          {{ campus_vpn_net_cidr }};
-          {{ gate_wifi_net_cidr }};
-          localhost;
+      	{{ private_net_cidr }};
+      	{{ public_vpn_net_cidr }};
+      	{{ campus_vpn_net_cidr }};
+      	{{ gate_wifi_net_cidr }};
+      	localhost;
       };
       
       options {
@@ -111,19 +111,10 @@
       	allow-recursion { trusted; };
       	allow-query-cache { trusted; };
       
-      	//============================================================
-      	// If BIND logs error messages about the root key being
-      	// expired, you will need to update your keys.
-      	// See https://www.isc.org/bind-keys
-      	//============================================================
-      	//dnssec-validation auto;
-      	// If Secure DNS is too much of a headache...
-      	dnssec-enable no;
-      	dnssec-validation no;
-      
-      	auth-nxdomain no;    # conform to RFC1035
-      	//listen-on-v6 { any; };
-      	listen-on { {{ core_addr }}; };
+      	listen-on {
+      		{{ core_addr }};
+      		localhost;
+      	};
       };
     dest: /etc/bind/named.conf.options
   notify: Reload BIND9.
-- 
2.25.1