add in recursion fixes

handlers/main.yml

@@ -4,3 +4,9 @@
   ansible.builtin.service:
     name: NetworkManager
     state: reloaded
+
+- name: restart_named
+  ansible.builtin.service:
+    name: named
+    state: restarted
+...

role-rocky-ipa-client.yml

@@ -5,7 +5,8 @@
   hosts: ipaclient
   become: true
   vars_files:
-  - vars/ipa/ipaclient.yml
+    - vars/ipa/common.yml
+    - vars/ipa/ipaclient.yml
 
   pre_tasks:
     - name: Check if ansible cannot be run here

role-rocky-ipa-replica.yml

@@ -5,6 +5,7 @@
   hosts: ipareplica
   become: true
   vars_files:
+    - vars/ipa/common.yml
     - vars/ipa/ipareplica.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
@@ -71,4 +72,7 @@
         mode: '0644'
         owner: root
         group: root
+
+    - name: Configure recursion for private nets
+      import_tasks: tasks/dns-ext.yml
 ...

role-rocky-ipa.yml

@@ -10,6 +10,7 @@
   hosts: ipaserver
   become: true
   vars_files:
+    - vars/ipa/common.yml
     - vars/ipa/ipaserver.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
@@ -81,4 +82,7 @@
       freeipa.ansible_freeipa.ipadnsconfig:
         ipaadmin_password: '{{ ipaadmin_password }}'
         allow_sync_ptr: true
+
+    - name: Configure recursion for private nets
+      import_tasks: tasks/dns-ext.yml
 ...

tasks/dns-ext.yml

@@ -0,0 +1,19 @@
+---
+- name: Configure ACL for nets
+  ansible.builtin.template:
+    src: "etc/named/ipa-ext.conf"
+    dest: "/etc/named/ipa-ext.conf"
+    owner: root
+    group: named
+    mode: '0640'
+  notify: restart_named
+
+- name: Turn on recursion for nets
+  ansible.builtin.template:
+    src: "etc/named/ipa-options-ext.conf"
+    dest: "/etc/named/ipa-options-ext.conf"
+    owner: root
+    group: named
+    mode: '0640'
+  notify: restart_named
+...

templates/etc/named/ipa-ext.conf

@@ -0,0 +1,18 @@
+/* User customization for BIND named
+ *
+ * This file is included in /etc/named.conf and is not modified during IPA
+ * upgrades.
+ *
+ * "options" settings must be configured in /etc/named/ipa-options-ext.conf.
+ *
+ * Example: ACL for recursion access:
+ *
+ * acl "trusted_network" {
+ *   localnets;
+ *   localhost;
+ *   234.234.234.0/24;
+ *   2001::co:ffee:babe:1/48;
+ * };
+ */
+
+acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };

templates/etc/named/ipa-options-ext.conf

@@ -0,0 +1,21 @@
+/* User customization for BIND named
+ *
+ * This file is included in /etc/named.conf and is not modified during IPA
+ * upgrades.
+ *
+ * It must only contain "options" settings. Any other setting must be
+ * configured in /etc/named/ipa-ext.conf.
+ *
+ * Examples:
+ * allow-recursion { trusted_network; };
+ * allow-query-cache { trusted_network; };
+ */
+
+/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
+listen-on-v6 { any; };
+
+/* dnssec-enable is obsolete and 'yes' by default */
+dnssec-validation yes;
+
+allow-recursion { trusted_nets; };
+allow-query-cache { trusted_nets; };

vars/ipa/common.yml

@@ -0,0 +1,6 @@
+---
+ipa_trusted_nets:
+  - localnets
+  - localhost
+  - 10.0.0.0/8
+...