roles/named: Support managing TSIG keys

To support signing of updates, TSIG keys can be defined using the
`named_keys` variable. This variable takes a list of objects with the
following properties:

* `name`: The name of the key
* `algorithm`: The signature algorithm (default: `hmac-md5`)
* `secret`: The base64-encoded key material

roles/named/templates/named.conf.j2

@@ -65,6 +65,7 @@ zone "." IN {
 
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
+include "/etc/named.secrets";
 include "/etc/named.zones";
 {% for path in named_global_include %}
 include "{{ path }}";

roles/named/templates/named.secrets.j2

@@ -0,0 +1,8 @@
+// DNSSEC key configuration for ISC BIND
+{% for key in named_keys %}
+
+key {{ key.name }} {
+    algorithm {{ key.algorithm|d('hmac-md5') }};
+    secret "{{ key.secret }}";
+};
+{% endfor %}