systemli / ansible-role-bind9

Ansible role to install and maintain the Bind9 nameserver on Debian
GNU General Public License v3.0
24 stars 26 forks source link

[Question] 'bind9_hidden_master' variable should limit queries to 'our_networks' or 'our_neighbors'? #67

Open epou opened 1 year ago

epou commented 1 year ago

Setting bind9_hidden_master: yes is setting the following in the named.conf.options file:

[...]
    allow-query { our_neighbors; };
[...]

But I'm not sure if it should set the allow-query param to our_networks, as specified in defaults/main.yaml: https://github.com/systemli/ansible-role-bind9/blob/c6f785499ca992fb827f7d633cca0306f504d5af/defaults/main.yml#L28-L29

t2d commented 1 year ago

Sorry, I don't understand your issue. What is happening and what would you expect instead?

epou commented 1 year ago

I wondered what the expected behavior would be for setting bind9_hidden_master: yes. In the defaults/main.yml the comment says that it limits the queries to our_networks but by looking at the templates it limits the queries to our_neighbors.

At first, I expected to have allow-query { our_neighbors; }; as a result of enabling the hidden master. Is there something I am missing?

t2d commented 1 year ago

You are right, the documentation is a bit ambiguous. But the code is very clear:

❯ rg -B1 bind9_hidden_master
defaults/main.yml
28-# Run bind as a hidden master (i.e. limit queries to our_networks)
29:bind9_hidden_master: no

templates/bind/named.conf.options.j2
34-
35: allow-query { {% if bind9_hidden_master|default() %}our_neighbors{% elif bind9_authoritative|default() %}any{% else %}our_networks{% endif %}; };

A PR with better doc is very welcome