From f3691338d64eed5f570f3103cde00d471e39e961 Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Sat, 12 May 2018 14:56:41 +0200
Subject: [PATCH] add named.conf.options

---
 roles/bind/handlers/main.yml            |  2 ++
 roles/bind/tasks/main.yml               |  5 +++++
 roles/bind/templates/named.conf.options | 27 +++++++++++++++++++++++++
 3 files changed, 34 insertions(+)
 create mode 100644 roles/bind/handlers/main.yml
 create mode 100644 roles/bind/templates/named.conf.options

diff --git a/roles/bind/handlers/main.yml b/roles/bind/handlers/main.yml
new file mode 100644
index 0000000..ed762d1
--- /dev/null
+++ b/roles/bind/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: bind9
+  service: name=bind9 state=restarted enabled=yes
diff --git a/roles/bind/tasks/main.yml b/roles/bind/tasks/main.yml
index beb8ea0..8fbbc6b 100644
--- a/roles/bind/tasks/main.yml
+++ b/roles/bind/tasks/main.yml
@@ -9,6 +9,11 @@
   copy:
     dest: /var/lib/bind/Makefile
     src: files/Makefile
+- name: install bind config
+  template:
+    dest: /etc/bind/named.conf.options
+    src: templates/named.conf.options
+  notify: bind9
 # dyn-nsupdate
 - name: install dyn-nsupdate build-deps
   apt: name=libboost-regex-dev,libboost-program-options-dev,cmake state=latest
diff --git a/roles/bind/templates/named.conf.options b/roles/bind/templates/named.conf.options
new file mode 100644
index 0000000..7ed35ed
--- /dev/null
+++ b/roles/bind/templates/named.conf.options
@@ -0,0 +1,27 @@
+//========================================================================
+// If BIND logs error messages about the root key being expired,
+// you will need to update your keys.  See https://www.isc.org/bind-keys
+//========================================================================
+
+options {
+	directory "/var/cache/bind";
+	key-directory "/var/lib/bind/keys";
+
+	recursion no;
+	dnssec-enable yes;
+	sig-validity-interval 14;
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on { {{ bind.listen }}; 127.0.0.1; };
+{% if bind.listen_v6 is defined %}
+	listen-on-v6 { {{ bind.listen_v6 }}; ::1; };
+{% endif %}
+
+	// hide BIND version
+	version "unknown";
+
+	// do rate-limiting
+	rate-limit {
+		responses-per-second 15;
+	};
+};
-- 
2.30.2