Set minimal-responses in BIND backend configuration

This is recommended as a mitigation for a potential cache poisoning
attack when using BIND with Designate.

https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation

Change-Id: I89f5b4b24558a4d8b66b2a9082fec152694e6b6a

manifests/backend/bind9.pp

@@ -44,6 +44,15 @@ class designate::backend::bind9 (
     order   => '20',
   }
 
+  # Recommended by Designate docs as a mitigation for potential cache
+  # poisoning attacks:
+  # https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
+  concat::fragment { 'dns minimal-responses':
+    target  => $::dns::optionspath,
+    content => 'minimal-responses yes;',
+    order   => '21',
+  }
+
   # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
   # Debian. Both groups only have read access but require write permission in
   # order to be able to use rndc addzone/delzone commands that Designate uses.