From db3094ba6e3499642468dbaa70f341b3648fb815 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Wed, 16 Nov 2016 17:07:19 -0500
Subject: [PATCH] nameserver: Add support for enabling/disabling recursion

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 roles/nameserver/README.rst              | 5 +++++
 roles/nameserver/defaults/main.yml       | 1 +
 roles/nameserver/templates/named.conf.j2 | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst
index 98193c1..d30806c 100644
--- a/roles/nameserver/README.rst
+++ b/roles/nameserver/README.rst
@@ -67,6 +67,10 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values
 |  named_conf_soa: "ns1.example.com. admin.example.com." |                                                                                                                           |
 |                                                        |                                                                                                                           |
 +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|``named_conf_recursion: "no"``                          |Define whether recursion should be allowed or not.  Defaults to "no".  Override in Ansible inventory as a hostvar.         |
+|                                                        |                                                                                                                           |
+|                                                        |**NOTE:** Setting to "yes" will add ``allow-recursion { any; }``. See To-Do.                                               |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
 
 **named_domains: []**
 
@@ -160,5 +164,6 @@ To-Do
 - Allow additional user-defined firewall rules
 - DNSSEC
 - Dynamic DNS
+- Add support for specifying networks to allow recursion from
 
 .. _Sepia: https://ceph.github.io/sepia/
diff --git a/roles/nameserver/defaults/main.yml b/roles/nameserver/defaults/main.yml
index dc2d265..64f797e 100644
--- a/roles/nameserver/defaults/main.yml
+++ b/roles/nameserver/defaults/main.yml
@@ -16,6 +16,7 @@ named_conf_listen_iface:
  - "{{ ansible_all_ipv4_addresses[0] }}"
 named_conf_zones_path: "/var/named/zones"
 named_conf_daemon_opts: ""
+named_conf_recursion: "no" # Allow recursion?  [yes|no]
 
 # Zone file conf vars
 named_conf_soa_ttl: 3600
diff --git a/roles/nameserver/templates/named.conf.j2 b/roles/nameserver/templates/named.conf.j2
index 04c83cb..cd7ac2d 100644
--- a/roles/nameserver/templates/named.conf.j2
+++ b/roles/nameserver/templates/named.conf.j2
@@ -11,8 +11,10 @@ options {
 	memstatistics-file	"{{ named_conf_data_dir }}/named_mem_stats.txt";
 
 	allow-query		{ any; };
-	recursion		yes;
+	recursion		{{ named_conf_recursion }};
+{% if named_conf_recursion == "yes" %}
 	allow-recursion		{ any; };
+{% endif %}
 };
 
 logging {
-- 
2.39.5