Publish records both ways during the k8s cutover, and expose expected vs
deployed records for drift detection.
- profiles::dns::updater + ::record: manage_nsupdate and manage_export
booleans (both default on); export keeps the legacy master flow, so
disable it once k8s is authoritative
- dns_records fact: parses the expected records file and digs the
authoritative server for each, reporting expected / in_sync / drift
(plus dns_records_insync boolean); updater writes the server address
to /var/lib/dns-updater/server for the fact
- hiera: manage_export/manage_nsupdate = true (cutover)