Remove the ability of dns_forward_zones to configure ip listening/allowed ranges
Update documentation to reflect this change.
Change restart behavior to run `systemctl daemon-reload` to adapt to
possible reconfiguration of unit file.
Bug fix in config file - had listen instead of access-control in one
section.
Change-Id: I0aa01a1ad5cd06f79e5c4fda68367e1416c6bd9d
diff --git a/README.md b/README.md
index 12cc7b0..c85a6d0 100644
--- a/README.md
+++ b/README.md
@@ -14,10 +14,23 @@
## Configuration
-See the NSD role for descriptions of `dns_forward_zones` and
-`dns_reverse_zones` - if those are defined, then Unbound will forward queries
-for those zones to the NSD server - by default, it's assume to be running on
- the same host, listening at 127.0.0.1:53.
+By default unbound will listen on 127.0.0.1:53, which conflicts with NSD if
+running on the same system. You must set `unbound_listen_default` (listens on
+the Ansible default interface IPv4 address) or `unbound_listen_ips` (list of IP
+addresses to listen on, must be plumbed through or unbound will not start) if
+you wish to run this on the same host as NSD.
+
+By default, unbound will only allow queries from the local machine
+(127.0.0.0/24). To allow other IP ranges to connect, either set
+`unbound_allow_all` (allows all IPs, not recommended unless on a trusted
+network), or `unbound_allow_ips` (list of IP addresses with CIDR mask) to allow
+queries from.
+
+Both the `dns_forward_zones` and `dns_reverse_zones` structures are used to
+determine the `stub-zone` configuration. Previous versions of this role
+allowed for using IP addresses from the `dns_forward_zones` or `dns_zones`
+structures to determine allowed and listening IP addresses. This is no longer
+supported.
If you're using a network that already has DNS servers, or you want to use
specific DNS servers external to the network you can specify the zones they
diff --git a/defaults/main.yml b/defaults/main.yml
index 725181c..898efcd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,12 +6,10 @@
# which IP addresses to listen on
unbound_listen_default: false
-unbound_listen_zone_ips: true
unbound_listen_ips: []
# which addresses to answer queries for
unbound_allow_all: false
-unbound_allow_zone_ips: "{{ unbound_listen_zone_ips }}"
unbound_allow_ips: "{{ unbound_listen_ips }}"
# IP of authoritative nameserver that serves stub zones
diff --git a/handlers/main.yml b/handlers/main.yml
index e9afa01..8656821 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -7,4 +7,5 @@
- name: unbound-restart
service:
name: "{{ unbound_service }}"
+ daemon_reload: true
state: restarted
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index e82ff98..16a4e73 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -9,7 +9,6 @@
vars:
unbound_allow_all: true
unbound_listen_default: true
- unbound_listen_zone_ips: false
tasks:
- name: "Include unbound"
include_role:
diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
index d6b3feb..1c2f1c3 100644
--- a/templates/unbound.conf.j2
+++ b/templates/unbound.conf.j2
@@ -25,16 +25,10 @@
{% else %}
# allow queries from localhost
access-control: 127.0.0.0/24 allow
-{% if unbound_allow_zone_ips and dns_forward_zones %}
- # allow from networks defined in zones
-{% for key, value in dns_forward_zones.items() %}
- access-control: {{ value.ip_range }} allow
-{% endfor %}
-{% endif %}
{% if unbound_allow_ips %}
# listen on specific IPs
{% for ip in unbound_allow_ips %}
- interface: {{ ip }} allow
+ access-control: {{ ip }} allow
{% endfor %}
{% endif %}
{% endif %}
@@ -45,16 +39,7 @@
interface: {{ ansible_default_ipv4.address }}
{% endif %}
-{% if unbound_listen_zone_ips and dns_forward_zones %}
-{% for key, value in dns_forward_zones.items() %}
-{% set if_ip = value.ip_range | ipaddr('next_usable') | ipaddr('address') %}
-{% if if_ip in ansible_all_ipv4_addresses %}
- # listen on IPs defined by dns_forward_zones: {{ key }}
- interface: {{ if_ip }}
-{% endif %}
-{% endfor %}
-{% endif %}
{% if unbound_listen_ips %}
# listen on specific IPs
{% for ip in unbound_listen_ips %}