Move per-rule user options onto their owning rules

Each of the seven user options was read by exactly one rule, so expose
them via CheckRuleWithOptions instead of the checker-wide UserOpts list.
This keeps each rule's configuration colocated with its evaluation
logic.

checker/rules_enumeration.go

@@ -102,6 +102,27 @@ func (nsec3IterationsRule) Name() string { return "dnssec_nsec3_iterations" }
 func (nsec3IterationsRule) Description() string {
 	return "Verifies that NSEC3PARAM.Iterations is at most nsec3IterationsMax (default 0, per RFC 9276 §3.1)."
 }
+func (nsec3IterationsRule) Options() sdk.CheckerOptionsDocumentation {
+	return sdk.CheckerOptionsDocumentation{
+		UserOpts: []sdk.CheckerOptionDocumentation{
+			{
+				Id:          "nsec3IterationsMax",
+				Type:        "uint",
+				Label:       "Maximum NSEC3 iterations",
+				Description: "RFC 9276 §3.1 sets the recommended ceiling at 0. Increase only if your signer cannot publish 0 yet.",
+				Default:     defaultNSEC3IterationsMax,
+			},
+			{
+				Id:          "nsec3IterationsSeverity",
+				Type:        "choice",
+				Label:       "Severity when NSEC3 iterations exceed the ceiling",
+				Choices:     []string{"warn", "crit"},
+				Default:     defaultNSEC3IterationsSeverityWarn,
+				Description: "Use 'crit' to enforce RFC 9276 strictly.",
+			},
+		},
+	}
+}
 
 func (nsec3IterationsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
 	data, errState := loadDNSSEC(ctx, obs)