Add support for DNSSEC signed zones (breaking)

This adds a 'dnssec' parameter to the bind::zone define which causes the module
to generate keys and sign the zone.  Some caveats and breaking changes:

1) Existing non-signed zones will have to be manually moved and signed
2) Signed zones are treated as dynamic

files/dnssec-init

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+CACHEDIR="$1"
+NAME="$2"
+DOMAIN="$3"
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+dnssec-keygen -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
+dnssec-keygen -f KSK -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
+dnssec-signzone -S -d "${CACHEDIR}" -K "${CACHEDIR}/${NAME}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"

manifests/init.pp

@@ -13,6 +13,16 @@ class bind (
 		ensure => latest,
 	}
 
+	if $dnssec {
+		file { '/usr/local/bin/dnssec-init':
+			ensure => present,
+			owner  => 'root',
+			group  => 'root',
+			mode   => '0755',
+			source => 'puppet:///modules/bind/dnssec-init',
+		}
+	}
+
 	service { $bind::params::bind_service:
 		ensure     => running,
 		enable     => true,

manifests/zone.pp

@@ -4,27 +4,58 @@ define bind::zone (
 	$masters         = [],
 	$allow_updates   = [],
 	$allow_transfers = [],
+	$dnssec          = false,
 ) {
+	$cachedir = $bind::cachedir
+
 	if $domain == '' {
 		$_domain = $name
 	} else {
 		$_domain = $domain
 	}
 
-	case $zone_type {
+	$has_zone_file = $zone_type ? {
-		'forward': {
+		'master' => true,
-			$file = ''
+		'slave' => true,
+		'hint' => true,
+		'stub' => true,
+		default => false,
+	}
+
+	if $has_zone_file {
+		file { "${cachedir}/${name}":
+			ensure  => directory,
+			owner   => $bind::params::bind_user,
+			group   => $bind::params::bind_group,
+			mode    => '0755',
+			require => Package[$bind::params::bind_package],
 		}
-		default: {
+
-			$file = "${bind::cachedir}/${name}"
+		file { "${cachedir}/${name}/${_domain}":
-			file { $file:
+			ensure  => present,
-				ensure  => present,
+			owner   => $bind::params::bind_user,
-				owner   => 'root',
+			group   => $bind::params::bind_group,
-				group   => $bind::params::bind_group,
+			mode    => '0644',
-				mode    => '0644',
+			replace => false,
-				replace => false,
+			source  => 'puppet:///modules/bind/db.empty',
-				source  => 'puppet:///modules/bind/db.empty',
+			audit   => [ content ],
-				require => Package[$bind::params::bind_package],
+		}
+
+		if $dnssec {
+			exec { "dnssec-keygen-${_domain}":
+				command => "/usr/local/bin/dnssec-init ${cachedir} ${name} ${_domain}",
+				cwd     => $cachedir,
+				user    => $bind::params::bind_user,
+				creates => "${cachedir}/${name}/${_domain}.signed",
+				timeout => 0, # crypto is hard
+				require => [ File['/usr/local/bin/dnssec-init'], File["${cachedir}/${name}/${_domain}"] ],
+			}
+
+			file { "${cachedir}/${name}/${_domain}.signed":
+				owner => $bind::params::bind_user,
+				group => $bind::params::bind_group,
+				mode  => '0644',
+				audit => [ content ],
 			}
 		}
 	}

templates/zone.conf.erb

@@ -2,8 +2,14 @@
 # This file managed by puppet - changes will be lost
 zone "<%= _domain %>" {
 	type <%= zone_type %>;
-<%- if file != '' -%>
+<%- if has_zone_file -%>
-	file "<%= file %>";
+<%-   if dnssec -%>
+	auto-dnssec maintain;
+	key-directory "<%= cachedir %>/<%= name %>";
+	file "<%= cachedir %>/<%= name %>/<%= _domain %>.signed";
+<%-   else -%>
+	file "<%= cachedir %>/<%= name %>/<%= _domain %>";
+<%-   end -%>
 <%- end -%>
 <%- if not masters.empty? -%>
 	masters {