Document global DNS security options (#694)

* Document global DNS security options

Related changes:
* Do not create a view if externally managed.
* Allow to specify the recursion settings for public/private
  views defined by the dns-view role.

Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

* Document public_dns_nameservers better

Also use it as the private view forwarder

Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

2 files changed, 10 insertions, 1 deletions

diff --git a/roles/dns-views/defaults/main.yml b/roles/dns-views/defaults/main.yml
new file mode 100644
index 000000000..c9f8248af
--- /dev/null
+++ b/roles/dns-views/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+external_nsupdate_keys: {}
+named_private_recursion: 'yes'
+named_public_recursion: 'no'
diff --git a/roles/dns-views/tasks/main.yml b/roles/dns-views/tasks/main.yml
index 7165b4269..ffbad2e3f 100644
--- a/roles/dns-views/tasks/main.yml
+++ b/roles/dns-views/tasks/main.yml
@@ -8,18 +8,23 @@
   set_fact:
     private_named_view:
       - name: "private"
+        recursion: "{{ named_private_recursion }}"
         acl_entry: "{{ acl_list }}"
         zone:
           - dns_domain: "{{ full_dns_domain }}"
+        forwarder: "{{ public_dns_nameservers }}"
+  when: external_nsupdate_keys['private'] is undefined
 
 - name: "Generate the public view"
   set_fact:
     public_named_view:
       - name: "public"
+        recursion: "{{ named_public_recursion }}"
         zone:
           - dns_domain: "{{ full_dns_domain }}"
         forwarder: "{{ public_dns_nameservers }}"
+  when: external_nsupdate_keys['public'] is undefined
 
 - name: "Generate the final named_config_views"
   set_fact:
-    named_config_views: "{{ private_named_view + public_named_view }}"
+    named_config_views: "{{ private_named_view|default([]) + public_named_view|default([]) }}"