From 5973de0959242cc5832c361616c5848d002aa6f8 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Wed, 10 Jun 2026 16:17:18 +0200
Subject: [PATCH] dns: validate zone files before apply in knot role

---
 roles/knot/tasks/02-configure.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml
index a2a8e55..e79143f 100644
--- a/roles/knot/tasks/02-configure.yaml
+++ b/roles/knot/tasks/02-configure.yaml
@@ -33,6 +33,7 @@
     owner: knot
     group: knot
     mode: u=rw,g=r
+    validate: "kzonecheck -v -o '{{ item.domain }}' %s"
 
 # this seems weird but hear me out:
 # if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements