Move per-rule user options onto their owning rules

Each of the seven user options was read by exactly one rule, so expose them via CheckRuleWithOptions instead of the checker-wide UserOpts list. This keeps each rule's configuration colocated with its evaluation logic.
2026-05-19 21:51:12 +08:00 · 2026-05-19 21:51:12 +08:00 · 81ca1810f1
commit 81ca1810f1
parent 6c5f06a3ff
5 changed files with 76 additions and 48 deletions
--- a/checker/definition.go
+++ b/checker/definition.go
@ -26,54 +26,6 @@ func Definition() *sdk.CheckerDefinition {
 					Description: "Recursive resolver used to discover the apex name servers and to look up the parent DS. Defaults to /etc/resolv.conf.",
 				},
 			},
-			UserOpts: []sdk.CheckerOptionDocumentation{
-				{
-					Id:          "nsec3IterationsMax",
-					Type:        "uint",
-					Label:       "Maximum NSEC3 iterations",
-					Description: "RFC 9276 §3.1 sets the recommended ceiling at 0. Increase only if your signer cannot publish 0 yet.",
-					Default:     defaultNSEC3IterationsMax,
-				},
-				{
-					Id:          "nsec3IterationsSeverity",
-					Type:        "choice",
-					Label:       "Severity when NSEC3 iterations exceed the ceiling",
-					Choices:     []string{"warn", "crit"},
-					Default:     defaultNSEC3IterationsSeverityWarn,
-					Description: "Use 'crit' to enforce RFC 9276 strictly.",
-				},
-				{
-					Id:          "signatureFreshness",
-					Type:        "uint",
-					Label:       "RRSIG freshness WARN threshold (days)",
-					Description: "Warn when the closest RRSIG expires in fewer than this many days.",
-					Default:     defaultSignatureFreshnessDays,
-				},
-				{
-					Id:          "signatureFreshnessCrit",
-					Type:        "uint",
-					Label:       "RRSIG freshness CRIT threshold (days)",
-					Default:     defaultSignatureFreshnessCrit,
-				},
-				{
-					Id:          "minRSAKeySize",
-					Type:        "uint",
-					Label:       "Minimum RSA modulus size (bits)",
-					Default:     defaultMinRSAKeySize,
-				},
-				{
-					Id:          "requireSEP",
-					Type:        "bool",
-					Label:       "Require a KSK (DNSKEY with SEP bit)",
-					Default:     defaultRequireSEP,
-				},
-				{
-					Id:          "dnskeyTTLMin",
-					Type:        "uint",
-					Label:       "Minimum DNSKEY TTL (seconds)",
-					Default:     defaultDNSKEYTTLMinSec,
-				},
-			},
 			DomainOpts: []sdk.CheckerOptionDocumentation{
 				{
 					Id:       "domain_name",