- name: copy zone files
  template:
    src: db.j2
    dest: '/etc/bind/zones/db.{{ item.key }}'
    owner: root
    group: root
    mode: 0644
  with_dict: '{{ bind_zones }}'
  register: zone
  notify: reload bind

- name: dnssec sign
  shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}'
  args:
    chdir: /etc/bind/keys
  with_items: '{{ zone.results }}'
  when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
  notify: reload bind