roles/named: Deploy BIND DNS server

The *named* role configures the BIND DNS server on managed nodes. It
writes `/etc/named.conf`, using a template that supports most of the
commonly-used options. The configuration can be augmented by other
templates, etc. by specifying file paths in the `named_options_include`
or `named_global_include` variables, both of which are lists.

roles/named/templates/named.conf.j2

@@ -0,0 +1,62 @@
+{% macro yesno(val) %}{{ 'yes' if val|bool else 'no' }}{% endmacro %}
+options {
+{% for listen in named_listen %}
+	listen-on port {{ listen.port|d(53) }} {
+{% for address in listen.addresses %}
+		{{ address }};
+{% endfor %}
+	};
+{% endfor %}
+{% for listen in named_listen_v6 %}
+	listen-on-v6 port {{ listen.port|d(53) }} {
+{% for address in listen.addresses %}
+		{{ address }};
+{% endfor %}
+	};
+{% endfor %}
+	directory 	"{{ named_directory }}";
+	dump-file 	"{{ named_dump_file }}";
+	statistics-file "{{ named_stats_file }}";
+	memstatistics-file "{{ named_memstats_file }}";
+	allow-query     {
+{% for match in named_allow_query %}
+		{{ match }};
+{% endfor %}
+	};
+
+	recursion {{ yesno(named_recursion) }};
+
+	dnssec-enable {{ yesno(named_dnssec) }};
+	dnssec-validation {{ yesno(named_dnssec_validation) }};
+
+	managed-keys-directory "{{ named_managed_keys_dir }}";
+
+	pid-file "{{ named_pid_file }}";
+	session-keyfile "{{ named_session_keyfile }}";
+{% if named_keytab is defined %}
+
+	tkey-gssapi-keytab "{{ named_keytab }}";
+{% endif %}
+
+{% for path in named_options_include %}
+	include "{{ path }}";
+{% endfor %}
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+{% for path in named_global_include %}
+include "{{ path }}";
+{% endfor %}