charm-designate-bind/src/config.yaml

options:
  allowed_nets:
    default: ""
    type: string
    description: |
      String containing a list of allowed networks of hosts for DNS
      queries, separated by semicolons: e.g.,
      "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The option is
      equivalent to "allow-query" in BIND9. If not specified, the
      default is to allow queries from all hosts.      
  allowed_recursion_nets:
    default: ""
    type: string
    description: |
      String containing a list of allowed networks of hosts for
      recursive queries through the designate-bind servers, spearated by
      semicolons: e.g., "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The
      option is equivalent to "allow-recursion" in BIND9. If
      allowed_recursion_nets is not set then allowed_nets is used if
      set, otherwise any will be set to allow recursive queries from all
      hosts.      
  forwarders:
    default: ""
    type: string
    description: |
      String containing a list of forwarders, separated by semicolons:
      e.g., "8.8.8.8;8.8.4.4". As non-empty forwarders option implies
      recursion, recursive queries will be enabled regardless of the
      value set in the recursion option. When using this option, ACLs
      should be used with allowed_nets and/or allowed_recursion_nets to
      prevent it from being a open resolver.      
  recursion:
    default: false
    type: boolean
    description: |
      Whether or not to enable recursive queries with BIND9 itself to be
      installed by the charm. The option is equivalent to "recursion" in
      BIND9. When using this option, ACLs should be used with
      allowed_nets and/or allowed_recursion_nets to prevent it from
      being a open resolver.      
  disable-dnssec-validation:
    default: false
    type: boolean
    description: |
      Whether or not to disable DNSSEC validation. This may be helpful
      in a situation that upstream DNS servers do not support DNSSEC,
      and BIND9 reports "Unable to fetch DNSKEY". For production
      deployments, it's encouraged to keep DNSSEC enabled.      
  service_ips:
    default: ""
    type: string
    description: |
      Service IPs are list of Virtual IPs that will be assigned to the
      designate-bind units. This option accepts comma separated list of
      IPv4 or IPv6 addresses that belong to the at least one directly
      connected network.
      This option also requires that relation with subordinate hacluster
      unit is created, otherwise the designate-bind units go into the the
      blocked state until the hacluster relation is made, or this option
      is uncofigured.