roles/named: Support logging queries to syslog

This commit adds two new variables to the *named* role:
`named_queries_syslog` and `named_rpz_syslog`.  These variables control
whether BIND will send query and RPZ log messages to the local syslog
daemon, respectively.

group_vars/pyrocufflink-dns.yml

@@ -9,6 +9,8 @@ named_allow_query:
 named_dnssec_validation: false
 named_response_policy:
 - zone "blackhole.rpz"
+named_queries_syslog: true
+named_rpz_syslog: true
 
 pyrocufflink_common_zones:
 - zone: pyrocufflink.blue

roles/named/defaults/main.yml

@@ -20,3 +20,5 @@ named_default_refresh: 900
 named_default_retry: 600
 named_default_expire: 86400
 named_keys: []
+named_queries_syslog: false
+named_rpz_syslog: false

roles/named/templates/named.conf.j2

@@ -77,6 +77,24 @@ logging {
                 file "data/named.run";
                 severity dynamic;
         };
+{% if named_queries_syslog %}
+	channel queries_syslog {
+		syslog daemon;
+		severity info;
+	};
+{% endif %}
+{% if named_rpz_syslog %}
+	channel rpz_syslog {
+		syslog daemon;
+		severity info;
+	};
+{% endif %}
+{% if named_queries_syslog %}
+	category queries { queries_syslog; };
+{% endif %}
+{% if named_rpz_syslog %}
+	category rpz { rpz_syslog; };
+{% endif %}
 };
 
 zone "." IN {