roles/named: Implement response policy zones

BIND response policy zones (RPZ) support provides a mechanism for
overriding the responses to DNS queries based on a wide range of
criteria.  In the simplest form, a response policy zone can be used to
provide different responses to different clients, or "block" some DNS
names.

For the Pyrocufflink and related networks, I plan to use an RPZ to
implement ad/tracker blocking.  The goal will be to generate an RPZ
definition from a collection of host lists (e.g. those used by uBlock
Origin) periodically.

This commit introduces basic support for RPZ configuration in the
*named* role.  It can be activated by providing a list of "response
policy" definitions (e.g. `zone "name"`) in the `named_response_policy`
variable, and defining the corresponding zones in `named_zones`.

roles/named/tasks/main.yml

@@ -35,7 +35,7 @@
 - name: ensure zone files exist
   template:
     src: zone.j2
-    dest: /var/named/dynamic/{{ item.zone }}.zone
+    dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
     mode: '0640'
     owner: root
     group: named

roles/named/templates/named.conf.j2

@@ -58,6 +58,14 @@ options {
 
 	tkey-gssapi-keytab "{{ named_keytab }}";
 {% endif %}
+{% if named_response_policy|d %}
+
+	response-policy {
+{% for policy in named_response_policy %}
+		{{ policy }};
+{% endfor %}
+	};
+{% endif %}
 
 {% for path in named_options_include %}
 	include "{{ path }}";