Disable recursion in Designate-managed BIND

For security, it is best to split authoritative and recursive
nameservers.  This way a security vulnerability that only affects
one type of server won't provide an exploit for the other too.

For Designate, the managed BIND server is the authoritative one.
We can use Neutron's internal DNS server as the recursive server, or
users can point at their DNS server of choice.  To make sure our
defaults work out of the box, this change enables the Neutron
internal DNS by default and users can change that if they choose.

Since that means we no longer need recursion in BIND, we should shut
it off, which this also does.

Change-Id: I4193436fdfd05bfd641fc32b58cc9bff24310a80

environments/enable-designate.yaml

@@ -13,6 +13,12 @@
 #   configuration values for other services to allow them to integrate with
 #   Designate.
 parameter_defaults:
+  # If True, enable the internal Neutron DNS server that provides name
+  # resolution between VMs.  This parameter has no effect if
+  # NeutronDhcpAgentDnsmasqDnsServers is set.
+  # Type: boolean
+  NeutronEnableInternalDNS: True
+
   # Comma-separated list of extensions enabled for the Neutron plugin.
   # Type: comma_delimited_list
   NeutronPluginExtensions: qos,port_security,dns

puppet/services/designate-worker.yaml

@@ -70,6 +70,7 @@ outputs:
         - get_attr: [DesignateBase, role_data, config_settings]
         - designate::worker::worker_notify: true
           dns::vardir: /var/named-persistent
+          dns::recursion: 'no'
           dns::additional_options:
             listen-on:
               str_replace:

sample-env-generator/enable-services.yaml

@@ -19,5 +19,9 @@ environments:
       puppet/services/neutron-plugin-ml2.yaml:
         parameters:
           - NeutronPluginExtensions
+      puppet/services/neutron-dhcp.yaml:
+        parameters:
+          - NeutronEnableInternalDNS
     sample_values:
       NeutronPluginExtensions: qos,port_security,dns
+      NeutronEnableInternalDNS: True