Move per-rule user options onto their owning rules

Each of the seven user options was read by exactly one rule, so expose
them via CheckRuleWithOptions instead of the checker-wide UserOpts list.
This keeps each rule's configuration colocated with its evaluation
logic.

checker/rules_keys.go

@@ -139,6 +139,18 @@ func (rsaKeySizeRule) Name() string { return "dnssec_rsa_keysize" }
 func (rsaKeySizeRule) Description() string {
 	return "Verifies RSA DNSKEYs reach a minimum modulus size (default 2048 bits)."
 }
+func (rsaKeySizeRule) Options() sdk.CheckerOptionsDocumentation {
+	return sdk.CheckerOptionsDocumentation{
+		UserOpts: []sdk.CheckerOptionDocumentation{
+			{
+				Id:      "minRSAKeySize",
+				Type:    "uint",
+				Label:   "Minimum RSA modulus size (bits)",
+				Default: defaultMinRSAKeySize,
+			},
+		},
+	}
+}
 
 func (rsaKeySizeRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
 	data, errState := loadDNSSEC(ctx, obs)
@@ -194,6 +206,18 @@ func (kskPresentRule) Name() string { return "dnssec_ksk_present" }
 func (kskPresentRule) Description() string {
 	return "Verifies at least one DNSKEY has the SEP bit (KSK)."
 }
+func (kskPresentRule) Options() sdk.CheckerOptionsDocumentation {
+	return sdk.CheckerOptionsDocumentation{
+		UserOpts: []sdk.CheckerOptionDocumentation{
+			{
+				Id:      "requireSEP",
+				Type:    "bool",
+				Label:   "Require a KSK (DNSKEY with SEP bit)",
+				Default: defaultRequireSEP,
+			},
+		},
+	}
+}
 
 func (kskPresentRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
 	data, errState := loadDNSSEC(ctx, obs)