Improve DNS authoritative transaction controls

[shensz2017]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: dns-security
Skill path: skills/network/dns-security/SKILL.md

What Was Wrong

The DNS security review covered DNSSEC, encrypted DNS transport, RPZ/protective DNS, and DNS exfiltration detection, but did not include explicit evidence gates for authoritative DNS transaction controls. A signed public zone could still pass core review while allowing open AXFR/IXFR, broad dynamic updates, unknown secondary targets, or missing transfer/update logging.

Related review issue: #2059

What This PR Fixes

• Adds a dedicated NIST SP 800-81 Sections 3/6 review step for authoritative DNS transaction controls.
• Requires restricted allow-transfer ACLs for approved secondaries.
• Requires TSIG or equivalent authentication for AXFR/IXFR.
• Requires scoped update-policy for dynamic updates instead of broad allow-update.
• Adds approved secondary / NOTIFY inventory checks and split-horizon leak checks.
• Adds transfer/update/failed-TSIG logging expectations.
• Updates severity classification, output format, common pitfalls, and RFC references.

Evidence

Before (skill could miss this):

zone: corp.example
named_conf: |
  zone "corp.example" {
    type primary;
    allow-transfer { any; };
    allow-update { any; };
    also-notify { 198.51.100.77; };
  };
dnssec:
  signed: true
  ds_record_published: true
transaction_controls:
  tsig_for_axfr_ixfr: missing
  transfer_logging: disabled

After (now correctly handled):

named_conf: |
  zone "corp.example" {
    allow-transfer { key "xfr-secondary-a"; 192.0.2.53; };
    update-policy {
      grant "dhcp-ddns-key" subdomain "dynamic.corp.example" A TXT;
    };
    also-notify { 192.0.2.53 key "xfr-secondary-a"; };
  };
transaction_controls:
  tsig_for_axfr_ixfr: configured
  update_policy: scoped_by_key_subdomain_and_record_type
  transfer_logging: enabled

Test Cases Added/Updated

• Added vulnerable test case: tests/vulnerable/dns-security-open-zone-transfer-dynamic-update.yaml
• Added benign test case: tests/benign/dns-security-restricted-transfer-update-policy.yaml
• Existing tests still pass / no executable test harness exists in this repository; validated with git diff --check, git diff --cached --check, and key-field checks for the new YAML evidence files.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors