The designate operator should allow the creation of management of an unbound resolver pod.

From https://bugzilla.redhat.com/show_bug.cgi?id=1891157
1. Configure unbound to listen on the appropriate address in the container. (centos 8 does not listen on all addresses by default)
2. Set "do-daemonize: no" so it doesn't background and detach from podman.
3. "access-control" configuration to not have an open resolver by default that could be used for DDoS amplification.
a. Configure "access-control: <external subnet(s)>"
b. Configure "access-control: <internal subnet(s)>"
c. Configure "access-control: <external ipv6 subnet(s)>"
d. Configure "access-control: <internal ipv6 subnet(s)>"
e. Configure access-control for user supplied CIDRs. <<<< This will be a new tripleo configuration option for deployers.
4. Use the "directory:" configuration to specify the path to the persistent configuration files, certs, and keys.
5. Use the "auto-trust-anchor-file: <path>" configuration setting to point to a root.key file in the persistent store location.
6. Copy the /var/lib/unbound/root.key file from the centos unbound package to the location set in the above (step 5) auto-trust-anchor-file path to prime unbound.
7. Configure the "logfile:" setting to point to the appropriate tripleo log file location.
8. Provide a user setting, default to "no", that enables query logging. "log-queries: no" is the default in centos. <<<< This will be a new tripleo configuration option for deployers.
9. If tripleo has a "deploy with paranoid hardening" setting, we would also set the following, though they are not set in the base centos package config. (Other more sane hardening settings are enabled in the centos package already)
a. "hide-identity: yes"
b. "hide-version: yes"
c. "hide-trustanchor: yes"
d. "harden-short-bufsize: yes"
e. "harden-large-queries: yes"
10. Set "unblock-lan-zone: yes" to allow ptr lookups for private IP addresses.
11. Set "insecure-lan-zones: yes" to stop validation attempts on private IPs.
12. If TLS everywhere is configured:
a. Set "tls-service-key: <tls key file>"
b. Set "tls-service-pem: <tls pem file>"
c. Set "tls-port: 853"
13. Set "rrset-cache-size: 100m"
14. Set "msg-cache-size: 50m"

"remote-control:" section:
1. Since we are not doing metrics collection initially, set "control-enable: no" to disable the remote control interface. Centos has this set to yes.
 

The unbound resolver is instrumental in neutron/dns integration and must be accessible through an "external IP" as it must be reachable by all openstack instances running in the cloud.

It also must support custom configuration by the user to set such things as forward resolvers, etc.