Publish records both ways during the k8s cutover, and expose expected vs
deployed records for drift detection.
- profiles::dns::updater + ::record: manage_nsupdate and manage_export
booleans (both default on); export keeps the legacy master flow, so
disable it once k8s is authoritative
- dns_records fact: parses the expected records file and digs the
authoritative server for each, reporting expected / in_sync / drift
(plus dns_records_insync boolean); updater writes the server address
to /var/lib/dns-updater/server for the fact
- hiera: manage_export/manage_nsupdate = true (cutover)
Replaces the exported-resources -> puppet DNS master zone-file flow with
per-host RFC2136 dynamic updates against the k8s bind-authoritative write
endpoint (198.18.200.9), so the master no longer manages zone files.
- add profiles::dns::updater: assembles the host's records into a concat
file and runs nsupdate via a systemd .path unit that watches it; the
dns-update script sends only the delta and deletes removed records
- switch profiles::dns::record to write local concat fragments
(zone|name|type|ttl|value) instead of exporting to the master
- include profiles::dns::updater from profiles::dns::base (all nodes)
- inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml
- hiera: updater server/key_name/algorithm in common.yaml