roles/named: Support managing TSIG keys

To support signing of updates, TSIG keys can be defined using the
`named_keys` variable. This variable takes a list of objects with the
following properties:

* `name`: The name of the key
* `algorithm`: The signature algorithm (default: `hmac-md5`)
* `secret`: The base64-encoded key material

roles/named/tasks/main.yml

@@ -13,6 +13,16 @@
   tags:
   - install
 
+- name: ensure named keys are configured
+  template:
+    src: named.secrets.j2
+    dest: /etc/named.secrets
+    mode: '0440'
+    owner: root
+    group: named
+    validate: named-checkconf %s
+  notify: reload named
+
 - name: ensure zones are configured
   template:
     src: named.zones.j2