Parameterize the random device for dnssec-keygen

`dnssec-keygen` uses `/dev/random` by default, but this is slow in some
scenarios where `/dev/urandom` is both faster and provides sufficient utility.
Allow override via the `bind::random_device` hiera key.

data/common.yaml

@@ -4,5 +4,6 @@ bind::params::supported: false
 bind::forwarders: ''
 bind::dnssec: true
 bind::version: ''
+bind::random_device: '/dev/random'
 
 bind::updater::keydir: '/etc/nsupdate-keys'

files/dnssec-init

@@ -4,7 +4,8 @@ CACHEDIR="$1"
 NAME="$2"
 DOMAIN="$3"
 KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
+RANDOM_DEVICE="$5"
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
-dnssec-keygen -K "${KEY_DIRECTORY}" "${DOMAIN}"
+dnssec-keygen -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
-dnssec-keygen -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
+dnssec-keygen -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
 dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"

manifests/init.pp

@@ -9,6 +9,7 @@ class bind (
     $version         = undef,
     $rndc            = undef,
     $statistics_port = undef,
+    $random_device   = undef,
 ) {
     include ::bind::params
 

manifests/zone.pp

@@ -21,6 +21,7 @@ define bind::zone (
     # where there is a zone, there is a server
     include bind
     $cachedir = $::bind::cachedir
+    $random_device = $::bind::random_device
     $_domain = pick($domain, $name)
 
     unless !($masters != '' and ! member(['slave', 'stub'], $zone_type)) {
@@ -109,7 +110,7 @@ define bind::zone (
     if $dnssec {
         exec { "dnssec-keygen-${name}":
             command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
-                '${_domain}' '${key_directory}'",
+                '${_domain}' '${key_directory}' '${random_device}'",
             cwd     => $cachedir,
             user    => $::bind::params::bind_user,
             creates => "${cachedir}/${name}/${_domain}.signed",