[debops.unbound] Allow non-recursive queries on AC

CHANGELOG.rst

@@ -115,6 +115,11 @@ LDAP
 
   .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
 
+- The role will configure the :command:`unbound` daemon to allow non-recursive
+  access to DNS queries when a host is managed by Ansible locally, with
+  assumption that it's an Ansible Controller host. This change unblocks use of
+  the :command:`dig +trace` and similar commands.
+
 Changed
 ~~~~~~~
 

ansible/roles/debops.unbound/defaults/main.yml

@@ -36,7 +36,27 @@ unbound__packages: []
 # .. envvar:: unbound__default_server [[[
 #
 # The default Unbound 'server' configuration defined by the role.
-unbound__default_server: []
+unbound__default_server:
+
+  - name: 'localhost-allow_snoop'
+    option: 'access-control'
+    comment: |
+      By default unbound blocks non-recursive queries to prevent abuse; this
+      prevents commands like 'dig +trace' from working correctly. Since query
+      tracing is a useful debugging and diagnostic tool, non-recursive queries
+      will be allowed when the host is managed locally with assumption that
+      this is an administrator's machine.
+    value:
+
+      - name: '127.0.0.0/8'
+        args: 'allow_snoop'
+
+      - name: '::1/128'
+        args: 'allow_snoop'
+
+    state: '{{ "present"
+               if (unbound__fact_ansible_connection == "local")
+               else "ignore" }}'
 
                                                                    # ]]]
 # .. envvar:: unbound__server [[[

ansible/roles/debops.unbound/tasks/main.yml

@@ -1,5 +1,9 @@
 ---
 
+- name: Create a fact that knows the Ansible connection type
+  set_fact:
+    unbound__fact_ansible_connection: '{{ ansible_connection }}'
+
 - name: Create Unbound configuration directory
   file:
     path: '/etc/unbound/unbound.conf.d'