Per https://kb.isc.org/docs/aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally.
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/config/designate-backend-bind9/named.conf w/etc/kolla/config/designate-backend-bind9/named.conf
new file mode 100644
index 000000000..a00593a70
--- /dev/null
+++ w/etc/kolla/config/designate-backend-bind9/named.conf
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
```
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-backend-bind9`
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers. Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code.
Per https:/ /kb.isc. org/docs/ aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally. config/ designate- backend- bind9/named. conf w/etc/kolla/ config/ designate- backend- bind9/named. conf .a00593a70 config/ designate- backend- bind9/named. conf
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/
new file mode 100644
index 000000000.
--- /dev/null
+++ w/etc/kolla/
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
``` backend- bind9`
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers. Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code.