Move status inference out of observation layer into rules

The prober (collect.go) was calling inferApexDNSKEYStatus during
zone parsing, effectively making a SECURE/BOGUS judgement inside the
collection phase rather than the evaluation phase.  The DNS-rcode
fallback (z.Status = z.DNSStatus) was also applied at parse time.

checker/rules_status.go

@@ -35,13 +35,14 @@ func (r *overallStatusRule) Evaluate(ctx context.Context, obs sdk.ObservationGet
 		leaf = zones[0]
 		z = data.Zones[leaf]
 	}
+	eff := effectiveStatus(z)
 	st := sdk.CheckState{
 		Code:    "dnsviz_overall_status",
 		Subject: leaf,
-		Status:  statusFromGrok(z.Status),
-		Message: fmt.Sprintf("DNSViz status: %s", emptyAsUnknown(z.Status)),
+		Status:  statusFromGrok(eff),
+		Message: fmt.Sprintf("DNSViz status: %s", emptyAsUnknown(eff)),
 		Meta: map[string]any{
-			"status":   z.Status,
+			"status":   eff,
 			"errors":   len(z.Errors),
 			"warnings": len(z.Warnings),
 		},
@@ -72,11 +73,12 @@ func (r *perZoneStatusRule) Evaluate(ctx context.Context, obs sdk.ObservationGet
 	out := make([]sdk.CheckState, 0, len(zones))
 	for _, name := range zones {
 		z := data.Zones[name]
+		eff := effectiveStatus(z)
 		out = append(out, sdk.CheckState{
 			Code:    "dnsviz_per_zone_status",
 			Subject: name,
-			Status:  statusFromGrok(z.Status),
-			Message: fmt.Sprintf("%s: errors=%d warnings=%d", emptyAsUnknown(z.Status), len(z.Errors), len(z.Warnings)),
+			Status:  statusFromGrok(eff),
+			Message: fmt.Sprintf("%s: errors=%d warnings=%d", emptyAsUnknown(eff), len(z.Errors), len(z.Warnings)),
 		})
 	}
 	return out