Add support for dnssec-policy

Allow setting the `dnssec-policy` for zones.

manifests/zone.pp

@@ -48,6 +48,8 @@
 # @param inline_signing
 # @param dnssec_secure_to_insecure
 # @param auto_dnssec
+# @param dnssec_policy
+#   Causes the zone to be signed and turns on automatic maintenance for the zone.
 #
 define dns::zone (
   Array[String] $target_views                             = [],
@@ -80,6 +82,7 @@
   Optional[Enum['yes', 'no']] $inline_signing             = undef,
   Optional[Enum['yes', 'no']] $dnssec_secure_to_insecure  = undef,
   Optional[Enum['allow', 'maintain', 'off']] $auto_dnssec = undef,
+  Optional[String[1]] $dnssec_policy                      = undef,
 ) {
 
   $_contact = pick($contact, "root.${zone}.")

spec/defines/dns_zone_spec.rb

@@ -407,6 +407,7 @@
           :key_directory             => '/etc/bind/keys',
           :auto_dnssec               => 'maintain',
           :update_policy             => 'local',
+          :dnssec_policy             => 'foo',
         } }
 
         it "should have valid zone configuration" do
@@ -419,6 +420,7 @@
           '    inline-signing yes;',
           '    key-directory "/etc/bind/keys";',
           '    update-policy local;',
+          '    dnssec-policy foo;',
           '};',
         ])
         end

templates/named.zone.erb

@@ -29,6 +29,9 @@ zone "<%= @zone %>" {
 <% if @inline_signing -%>
     inline-signing <%= @inline_signing %>;
 <% end -%>
+<% if @dnssec_policy -%>
+    dnssec-policy <%= @dnssec_policy %>;
+<% end -%>
 <% if @key_directory -%>
     key-directory "<%= @key_directory %>";
 <% end -%>