From 91d95b190c14e04bb7dea49ec11596e899fcbdda Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Mon, 14 Oct 2019 18:34:43 +0200
Subject: [PATCH] dns-intern: use future-proof pdns config

---
 roles/dns-intern/templates/pdns.conf.j2     | 28 +++++++++++++--------
 roles/dns-intern/templates/recursor.conf.j2 | 25 ++++++++++++++----
 2 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/roles/dns-intern/templates/pdns.conf.j2 b/roles/dns-intern/templates/pdns.conf.j2
index 227659f..f792402 100644
--- a/roles/dns-intern/templates/pdns.conf.j2
+++ b/roles/dns-intern/templates/pdns.conf.j2
@@ -1,22 +1,28 @@
-#################################
-# allow-recursion       List of subnets that are allowed to recurse
-#
-allow-recursion=127.0.0.1,172.23.0.0/16
-
-#################################
-# daemon        Operate as a daemon
-#
-daemon=yes
+# {{ ansible_managed }}
 
 #################################
 # launch        Which backends to launch and order to query them in
 #
+# launch=
 launch=bind
 
 #################################
-# recursor      If recursion is desired, IP address of a recursing nameserver
+# local-address Local IP addresses to which we bind
 #
-recursor=127.0.0.1:5300
+# local-address=0.0.0.0
+local-address=127.0.0.1
+
+#################################
+# local-ipv6    Local IP address to which we bind
+#
+# local-ipv6=::
+local-ipv6=
+
+#################################
+# local-port    The port on which we listen
+#
+# local-port=53
+local-port=5300
 
 #################################
 # security-poll-suffix  Domain name from which to query security update notifications
diff --git a/roles/dns-intern/templates/recursor.conf.j2 b/roles/dns-intern/templates/recursor.conf.j2
index e306fda..40bfe7a 100644
--- a/roles/dns-intern/templates/recursor.conf.j2
+++ b/roles/dns-intern/templates/recursor.conf.j2
@@ -1,12 +1,14 @@
+# {{ ansible_managed }}
+
 #################################
 # allow-from    If set, only allow these comma separated netmasks to recurse
 #
-allow-from=127.0.0.0/8
+#allow-from=127.0.0.0/8
 
 #################################
-# daemon        Operate as a daemon
+# config-dir    Location of configuration directory (recursor.conf)
 #
-daemon=yes
+config-dir=/etc/powerdns
 
 #################################
 # dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
@@ -14,15 +16,28 @@ daemon=yes
 # dnssec=process-no-validate
 dnssec=off
 
+#################################
+# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
+#
+# forward-zones=
+forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
+
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1
+local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
 
 #################################
 # local-port    port to listen on
 #
-local-port=5300
+local-port=53
+
+#################################
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+#
+{% if global_ipv6 is defined %}
+query-local-address6={{ global_ipv6 | ipaddr('address') }}
+{% endif %}
 
 #################################
 # quiet Suppress logging of questions and answers