ansible/authoritative-nameserver.yaml

# Authoritative DNS server for
# k-space.ee, kspace.ee and k6.ee domains and several member domains
# Domain records mostly managed by external-dns running on the Kubernetes cluster
# Additionally cert-manager running on the Kubernetes cluster reads-writes DNS records

---
- name: Setup primary nameserver
  hosts: ns1.k-space.ee
  tasks:
  - name: Make sure bind9 is installed
    ansible.builtin.apt:
      name: bind9
      state: present

  - name: Configure Bind
    register: bind
    copy:
      dest: /etc/bind/named.conf
      content: |
        # This file is managed by Ansible
        # https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml
        # Do NOT modify manually

        include "/etc/bind/named.conf.local";
        include "/etc/bind/readwrite.key";
        include "/etc/bind/readonly.key";

        options {
            directory "/var/cache/bind";
            version "";
            listen-on { any; };
            listen-on-v6 { any; };
            pid-file "/var/run/named/named.pid";
            notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; };
            allow-recursion { none; };
            recursion no;
            check-names master ignore;
            dnssec-validation no;
            auth-nxdomain no;
        };

        # https://kb.isc.org/docs/aa-00723

        acl allowed {
            172.21.3.0/24;
            172.20.4.0/24;
            172.20.5.0/24;            
        };

        acl rejected { !allowed; any; };

        zone "." {
            type hint;
            file "/var/lib/bind/db.root";
        };

        zone "k-space.ee" {
            type master;
            file "/var/lib/bind/db.k-space.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };

        zone "k6.ee" {
            type master;
            file "/var/lib/bind/db.k6.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };

        zone "kspace.ee" {
            type master;
            file "/var/lib/bind/db.kspace.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };        
  - name: Check Bind config
    ansible.builtin.shell: "named-checkconf"
  - name: Reload Bind config
    service:
      name: bind9
      state: reloaded
    when: bind.changed