From f8f9a62ce9faf2a3685a424a1019d1cec03c1273 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Thu, 20 Nov 2025 16:21:55 -0700
Subject: [PATCH] Add dnssec-validation setting per new BIND9 defaults.

Without this, testing failed because it could not resolve names in
secure domains.
---
 README.org                  | 2 ++
 roles_t/core/tasks/main.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/README.org b/README.org
index cc4ce36..d053a47 100644
--- a/README.org
+++ b/README.org
@@ -2695,6 +2695,8 @@ options {
 	allow-recursion { trusted; };
 	allow-query-cache { trusted; };
 
+	dnssec-validation yes;
+
 	listen-on {
 		{{ core_addr }};
 		localhost;
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 65fb66e..93c466d 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -126,6 +126,8 @@
       	allow-recursion { trusted; };
       	allow-query-cache { trusted; };
       
+      	dnssec-validation yes;
+      
       	listen-on {
       		{{ core_addr }};
       		localhost;
-- 
2.25.1