Cannot update "NS" types entries from Bind9 managed DNS zone

[Simon-TheUser]

Summary

When running a nsupdate task where the type: "NS" is used, Ansible reports a successful change.

Unfortunately, Bind9 will silently ignore the deletes statement for NS type for a zone and the Ansible change does not work.

Issue Type

Bug Report

Component Name

nsupdate

Ansible Version

$ ansible --version
ansible [core 2.12.5]
  config file = None
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/github.Simon-TheUser.community.general/venv/lib/python3.8/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/github.Simon-TheUser.community.general/venv/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 4.8.0  

Configuration

$ ansible-config dump --only-changed

OS / Environment

The changes are made against a Bind9.18 DNS Server

Steps to Reproduce

Before running the test, gather the list of NS entries for a DNS zone.

$ dig NS lab @192.168.1.2 +short
ns6.lab.
ns3.lab.
ns2.lab.
ns4.lab.

Create a task that does not include the ns3.lab. entry and execute it:

  tasks:
    - name: New NS entries
      set_fact:
        ns_list:
          - 'ns2.lab.'
          - 'ns4.lab.'
          - 'ns6.lab.'

    - name: Update NS entries
      community.general.nsupdate:
        key_name: '{{ rndc_key_name }}'
        key_secret: '{{ rndc_key }}'
        key_algorithm: 'hmac-sha256'
        server: "192.168.1.2"
        zone: "lab."
        record: "lab."
        value: "{{ ns_list }}"
        type: "NS"

$ ansible-playbook test_NS_nsupdate.yml 

PLAY [Test for Dynamic DNS updates of NS entries with Bind9] **********************************************************************************************************************************************************************

TASK [New NS entries] *************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Update NS entries] **********************************************************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP ************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Expected Results

After executing the task, I would expect the new list of NS records to only contain 3 items:

$ dig NS lab @192.168.1.2 +short
ns6.lab.
ns2.lab.
ns4.lab.

Actual Results

Running the domain query shows that ns3.lab. is still present as a NS entry:

$ dig NS lab @192.168.1.2 +short
ns6.lab.
ns3.lab.
ns2.lab.
ns4.lab.

Inside the Bind9 logs, you can see that the delete request for NS records is ignored:

09-May-2022 18:00:50.352 client @0x7fe7dd1f9568 192.168.1.3#45458/key rndc_ddns_ansible: updating zone 'lab/IN': attempt to delete all SOA or NS records ignored

Bind9 source code reference: https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_18/lib/ns/update.c#L3304

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/net_tools/nsupdate.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @nerzhul
click here for bot help

[Simon-TheUser]

I have successfully modified the nsupdate.py script with the following changes for my environment:
Simon-TheUser@ceb8131

Feel free to grab the changes or I can create a pull request if that is your preferred approach.

[felixfontein]

I'm not sure whether someone is actively maintaining this module, so creating a PR probably increases chances a lot that this fix will end up in this collection :)

[Simon-TheUser]

I will submit a PR after I complete my infrastructure changes. It will give me a chance to properly test my changes against bind9.18.