Observe the NS RRset TTL from each parent server (ParentView.NSTTL) and
whether each NS target name is a CNAME alias (ChildNSView.CNAMETarget).
Two new rules judge the collected facts:
- delegation_ns_ttl_inconsistent: warns when parent servers disagree on
the NS TTL, which indicates zone-data inconsistency between primaries.
- delegation_ns_is_cname: flags NS targets that are CNAME aliases as
critical, per RFC 2181 §10.3 which forbids aliased NS names.
Move the "skip DNSKEY when no parent DS" decision out of Collect and
into the rules, so the prober stays a pure observer. The dnskeyQueryRule
and dnskeyMatchesDSRule already return StatusUnknown when no parent DS
is present.
The binary doubles as its own healthcheck client via the SDK's
-healthcheck flag, so the probe works in the scratch image
(no shell, no curl, no wget).
